Filter Evasion: Houdini on the Wire

Filter Evasion Houdini on the Wire Rob Ragan ( [email_address] ) HP Application Security Center

Overview

Filters

Understanding different kinds of filters

Identify the short comings of signature development

Evasions

Examination of relevant evasion techniques

Focus on HTTP attacks

How to bypass Snort

Some Reasons to Elude a Filter

Money

Spammers

Fun

Porn

Information

Truth seekers

Illegal act

Stealing private data

Security Filters

Used to detect actions that attempt to compromise a resource

Reactions

Allow

Deny

Log

Remove

Usually a black box

Typically use signatures, which are black lists

Why is it important to understand evasion tactics?

Cyber criminals

Using obfuscation

Penetration testers

Need to keep up with cyber criminals latest techniques

Developers (filter creators)

Need to know how to properly build filters

QA

Need to know how to properly test filters

HTTP Filters Are Everywhere Filter Example Intrusion Detection Systems (IDS) Snort Web Application Firewall (WAF) ModSecurity Server Add-on IIS UrlScan Framework ASP.NET Request Validation Browser IE8 XSS Filter Application custom sanitizer See your code

New Filters

Announced 14 October 2008

The DHS is funding new IDS/IPS development

"The OISF was formed primarily to begin the development of this new IDS/IPS engine, but will over time take on new projects and challenges." http://www.openinfosecfoundation.org

Will they learn from history and other’s mistakes?

Filter Responsibility in the OSI Model

Who is responsible for each layer?

Attackers consistently moving up the stack

The Network perimeter is safer than ever

Applications are more exposed than ever

Who creates filters?

Security professionals

Open source community

Corporations

Ultimately developers need to be responsible

Proper knowledge transfer isn’t occurring

In February of 1676 Sir Issac Newton wrote in a letter to Robert Hooke “If I have seen a little further it is by standing on the shoulders of Giants.” implying that while he may have come up with the final idea he was only able to do so because of the work of those that had gone before him.

Whisker's anti-IDS tactics · 1999

Method matching

GET  HEAD

Url encoding

HEX %xx notation

Double slashes

'/'  '//'

Reverse traversal

/dir/blahblah/../

Self-reference directories

/dir/./././././ == /dir/

Premature request ending

Stop at the first HTTP/1.?

Parameter hiding

%3f  ?

HTTP mis-formatting

%20  %09 (TAB)

Long Urls

GET /<random>/../dir/a.cgi

DOS/Win directory syntax

'/'  ''

NULL method processing

GET

Case sensitivity

'abc'  'ABC'

Details @ http://www.wiretrip.net/rfp/txt/whiskerids.html

Playbook – Let the games begin!

How to attack HTTP filters across the stack

Canocalization

Encoding

Method tampering

Poison NULL byte

Whitespace mis-formatting

Case Sensitivity

Canocalization

Process of converting data to the simplest form

Multiple representations

Normalization

Should use simplest form before performing detection

Canocalization

Microsoft Security Bulletin MS05-004

ASP.NET Path Validation Vulnerability

The Microsoft .NET forms authentication capability for ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability.“

Mozilla: http://www.target.com/secureDirsomefile.aspx

Internet Explorer: http://www.target.com/secureDir%5Csomefile.aspx

Poison NULL Byte

POST Rule Bypass Vulnerability

Vulnerable March 2007

ModSecurity

ASCIIZ

When assigning string data, the assignment will stop if an embedded NULL byte is encountered

str = " ABC " + " " + " 123 ";

str’s value is " ABC "

Bypass WAF

Content-Type: application/x-www-form-urlencoded

POST data starts with unencoded NULL byte

$ echo -e " 00&var=<script>alert(/xss/);</script> " > postdata

$ curl http://localhost/test.php --data-binary @postdata -A HarmlessUserAgent <script>alert(/xss/);</script>

Full-Width/Half-Width Unicode

Bypass HTTP Filters

Vulnerable May 2007

Cisco, 3Com, McAfee, Novell, ISS, CheckPoint, ModSecurity

An evasion not an exploit

Full-width question mark (?) = U+FF1F

Full-Width/Half-Width Unicode Attacks

<?php

$input_var = " xefxbcx9Cscriptxefxbcx9Ealert(document.location)xefxbcx9C/scriptxefxbcx9E ";

header( 'Content-Type: text/html; charset=ISO-8859-1' );

echo iconv( 'UTF-8' , 'ISO-8859-1//TRANSLIT' , $input_var );

?>

Output:

%uff1cscript%uff1Ealert('HAI')%uff1c/script%uff1E

%EF%BC%9Cscript%EF%BC%9Ealert(123)%EF%BC%9C/script%EF%BC%9E

HTTP Method Tampering

Bypass URL Auth

Vulnerable June 2008

Apache 2.2.6/PHP, Tomcat, WebSphere, WebLogic/JSP, ASP.NET

Security mechanism fails to restrict HTTP methods

GET functionality that is not idempotent or will execute with an arbitrary method

Does your HTTP security filter check for the “ROB” method?

HTTP Method Tampering

RFC 2616: The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response

GET requests to /admin/ required to come from a user in the admin role

Expect HEAD,PUT,DELETE to be denied, right?

Make sure the deny list is explicitly defined

Attack: HEAD /delete_user.asp?uid=666 HTTP/1.1

ASP.NET Validate Request

ASP.NET Framework XSS Filter

ASP.NET 2.0 checks for:

&#

< followed by (A-Z) or (a-z) then / or ! or ?

Skip strings that start with “__” e.g. __VIEWSTATE

Attack:

"></XSS/*-*/STYLE=xss:e/**/xpression(alert(123))>

Encoding Attack

Directory Traversal Vulnerability

Vulnerable August 2008

Apache Tomcat

When context.xml or server.xml allows 'allowLinking' and 'URIencoding' as 'UTF-8'

%c0%ae = . (dot)

http://www.target.com/%c0%ae%c0%ae/%c0%ae%c0%ae/foo

Evasions in RSnake’s XSS Cheat Sheet

Null Byte

perl -e

'print " <IMG SRC=javascript:alert("XSS")> ";' > out

Case Insensitive

<IMG SRC=JaVaScRiPt:alert('XSS') >

Tab

<IMG SRC=" jav ascript:alert('XSS'); ">

Newline

<IMG SRC=" javascript:alert('XSS'); ">

Encoding

RFC 1738

Only alphanumeric and special characters “$-_.+!*'(),” can be included in the URL

Space is not allowed %20 or +

RSnake’s cheat sheet contains 70 unique ways to encode < (Less than)

70 Unique Ways to Encode <

<

%3C

&lt

<

&LT

&LT;

&#60

&#060

&#0060

&#00060

&#000060

&#0000060

<

<

<

<

<

<

&#x3c

&#x03c

&#x003c

&#x0003c

&#x00003c

&#x000003c

<

<

<

<

<

&#x000003c;

&#X3c

&#X03c

&#X003c

&#X0003c

&#X00003c

&#X000003c

&#X3C

&#X03C

&#X003C

&#X0003C

&#X00003C

&#X000003C

&#X3C;

&#X03C;

&#X003C;

&#X0003C;

&#X00003C;

&#X000003C;

x3c

x3C

u003c

u003C

&#X3c;

&#X03c;

&#X003c;

&#X0003c;

&#X00003c;

&#X000003c;

&#x3C

&#x03C

&#x003C

&#x0003C

&#x00003C

&#x000003C

<

<

<

<

<

&#x000003C;

Still Partying Like It’s 1999

Method matching

GET  HEAD

Url encoding

HEX %xx notation

Double slashes

'/'  '//'

Reverse traversal

/dir/blahblah/../

Self-reference directories

/dir/./././././ == /dir/

Premature request ending

Stop at the first HTTP/1.?

Parameter hiding

%3f  ?

HTTP mis-formatting

%20  %09 (TAB)

Long Urls

GET /<random>/../dir/a.cgi

DOS/Win directory syntax

'/'  ''

NULL method processing

GET

Case sensitivity

'abc'  'ABC'

ASPROX (SQL Injection) Worm

T-SQL CAST

Converts an expression of one data type to another

HEX and ASCII encode attacks

Poison NULL byte

DECLARE%20@S%20CHAR(4000);SET%20

@S=C %00 AST(0x4445434C4152452040

...

6F72%20AS%20CHAR(4000));EXEC(@S);--

Regular Expressions Are Hard

XSS Regex from ModSecurity

(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)W*?=|abort)|(?:l(?:owsrcW*?(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)W*?(?:(?:java|vb)script|shell)|mocha):|typeW*?(?:text(?:W*?(?:j(?:ava)?|ecma)script|[vbscript])|applicationW*?x-(?:java|vb)script)|s(?:(?:tyleW*=.*expressionW*|ettimeoutW*?)(|rcW*?(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|background-image:)|a(?:ctivexobject|lertW*?())|<(?:(?:body .*?(?:backgroun|onloa)d|input.*?\btypeW*?image)|![CDATA[|script|meta)|(?:.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|B@import))

Catastrophic Backtracking

Do you worry about performance when writing a Regex?

Beware of backtracking

Can lead to exponentially more CPU time for each additional input character O( n 2 )

Make sure there is no way to match the same match

Potential to DoS the filter?

Backtracking Example

(x+x+)+y

One or more of the character X

One or more of the character X

One or more of the previous two matches combined

Followed by a single character Y

PHPIDS Regex Smoketest

White lists are good, but…

How many developers or QA engineers know the entire subset of strings they’ll match or miss?

What about signature writers?

Difficult to find a balance between FP and FN

The underlying signature engine can have problems

Regex Libs Can Have Vulnerabilities

Perl-Compatible Regular Expression (PCRE)

Many serious vulnerabilities

CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007- 1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768

Even if you do everything else right, the Regex lib you use might get attacked

Biggest Target: Application Layer

What about the Transport Layer?

99 problems but TCP ain’t 1

Wrong!

Session Splicing

Network level attack

Send parts of the request in different packets

"GET / HTTP/1.0" may be split across multiple packets to be

"GE", "T ", "/", " H", "T", "TP", "/1", ".0"

Not the same as IP fragmentation

IP Fragmentation vs Session Splicing

IP Fragmentations

If the packet is too large for the link layer a router can split it into multiple fragments

Session Splicing

Purposefully delivering the payload over multiple packets to evade detection. Smaller than it needs to be.

IDS Defense

Fragment reassembly

Session reassembly

Send a reset [RST]

State of the Evasion

Does whisker’s session splicing tactic still work on Snort?

Answer: No

Why?

Session Splicing 1999 vs 2009

The current implementation in whisker will result in 1-3 characters in each packet, depending on your system and network speed

1999 2009

Bypass Snort

Pragmatic Session Splicing + Timing Attack

Use the filter’s signatures to split the payload

Vulnerable if the IDS stateful inspection timeout is less than session reassembly of the hosts it protects

Similar to fragmentation attack but instead of at the IP level we move up to the TCP level

Time Splicer

The attack is practical if we split the session on the matches found by the signature we're trying to evade

Attack:

GET /index.php?param=<script>alert(123)</script> HTTP/1.1 Host:www.target.com

Signature: Matches on <script>|</script> tags

Know the stateful inspection timeout for the IDS

Recursively find matches and split the attack string, then send each splice in a new packet with time delay between each packet

Snort Preprocessors

HTTP Inspect + Stream4

Stateful inspection

Default timeout is 30 seconds

# stream4: stateful inspection/stream reassembly for Snort

#------------------------------------------------------------ # Use in concert with the -z [all|est] command line switch to defeat # stick/snot against TCP rules. Also performs full TCP stream # reassembly, stateful inspection of TCP streams, etc. Can statefully # detect various portscan types, fingerprinting, ECN, etc.