Filter Evasion: Houdini on the Wire


Published on

Today security filters can be found on our network perimeter, on our servers, in our frameworks and applications. As our network perimeter becomes more secure, applications become more of a target. Security filters such as IDS and WAF are relied upon to protect applications. Intrusion detection evasion techniques were pioneered over a decade ago. How are today's filters withstanding ever evolving evasion tactics? The presentation will examine how evasion techniques worked in the past and provide insight into how these techniques can still work today; with a focus on HTTP attacks. A practical new way to bypass Snort will be demonstrated. A tool to test other IDS for the vulnerability in Snort will be demonstrated. (Outerz0ne 2009)

Video of this presentation at Outerz0ne 5:

Published in: Technology, Business
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Filter Evasion: Houdini on the Wire

  1. 1. Filter Evasion Houdini on the Wire Rob Ragan ( [email_address] ) HP Application Security Center
  2. 2. Overview <ul><li>Filters </li></ul><ul><ul><li>Understanding different kinds of filters </li></ul></ul><ul><ul><li>Identify the short comings of signature development </li></ul></ul><ul><li>Evasions </li></ul><ul><ul><li>Examination of relevant evasion techniques </li></ul></ul><ul><ul><li>Focus on HTTP attacks </li></ul></ul><ul><li>How to bypass Snort </li></ul>
  3. 3. Some Reasons to Elude a Filter <ul><li>Money </li></ul><ul><ul><li>Spammers </li></ul></ul><ul><li>Fun </li></ul><ul><ul><li>Porn </li></ul></ul><ul><li>Information </li></ul><ul><ul><li>Truth seekers </li></ul></ul><ul><li>Illegal act </li></ul><ul><ul><li>Stealing private data </li></ul></ul>
  4. 4. Security Filters <ul><li>Used to detect actions that attempt to compromise a resource </li></ul><ul><ul><li>Reactions </li></ul></ul><ul><ul><ul><li>Allow </li></ul></ul></ul><ul><ul><ul><li>Deny </li></ul></ul></ul><ul><ul><ul><li>Log </li></ul></ul></ul><ul><ul><ul><li>Remove </li></ul></ul></ul><ul><li>Usually a black box </li></ul><ul><li>Typically use signatures, which are black lists </li></ul>
  5. 5. Why is it important to understand evasion tactics? <ul><li>Cyber criminals </li></ul><ul><ul><li>Using obfuscation </li></ul></ul><ul><li>Penetration testers </li></ul><ul><ul><li>Need to keep up with cyber criminals latest techniques </li></ul></ul><ul><li>Developers (filter creators) </li></ul><ul><ul><li>Need to know how to properly build filters </li></ul></ul><ul><li>QA </li></ul><ul><ul><li>Need to know how to properly test filters </li></ul></ul>
  6. 6. HTTP Filters Are Everywhere Filter Example Intrusion Detection Systems (IDS) Snort Web Application Firewall (WAF) ModSecurity Server Add-on IIS UrlScan Framework ASP.NET Request Validation Browser IE8 XSS Filter Application custom sanitizer See your code
  7. 7. New Filters <ul><li>Announced 14 October 2008 </li></ul><ul><li>The DHS is funding new IDS/IPS development </li></ul><ul><ul><li>&quot;The OISF was formed primarily to begin the development of this new IDS/IPS engine, but will over time take on new projects and challenges.&quot; </li></ul></ul><ul><li>Will they learn from history and other’s mistakes? </li></ul>
  8. 8. Filter Responsibility in the OSI Model
  9. 9. Who is responsible for each layer? <ul><li>Attackers consistently moving up the stack </li></ul><ul><ul><li>The Network perimeter is safer than ever </li></ul></ul><ul><ul><li>Applications are more exposed than ever </li></ul></ul><ul><li>Who creates filters? </li></ul><ul><ul><li>Security professionals </li></ul></ul><ul><ul><li>Open source community </li></ul></ul><ul><ul><li>Corporations </li></ul></ul><ul><li>Ultimately developers need to be responsible </li></ul><ul><li>Proper knowledge transfer isn’t occurring </li></ul>
  10. 10. <ul><li>In February of 1676 Sir Issac Newton wrote in a letter to Robert Hooke “If I have seen a little further it is by standing on the shoulders of Giants.” implying that while he may have come up with the final idea he was only able to do so because of the work of those that had gone before him. </li></ul>
  11. 11. Whisker's anti-IDS tactics · 1999 <ul><li>Method matching </li></ul><ul><ul><li>GET  HEAD </li></ul></ul><ul><li>Url encoding </li></ul><ul><ul><li>HEX %xx notation </li></ul></ul><ul><li>Double slashes </li></ul><ul><ul><li>'/'  '//' </li></ul></ul><ul><li>Reverse traversal </li></ul><ul><ul><li>/dir/blahblah/../ </li></ul></ul><ul><li>Self-reference directories </li></ul><ul><ul><li>/dir/./././././ == /dir/ </li></ul></ul><ul><li>Premature request ending </li></ul><ul><ul><li>Stop at the first HTTP/1.? </li></ul></ul><ul><li>Parameter hiding </li></ul><ul><ul><li>%3f  ? </li></ul></ul><ul><li>HTTP mis-formatting </li></ul><ul><ul><li>%20  %09 (TAB) </li></ul></ul><ul><li>Long Urls </li></ul><ul><ul><li>  GET /<random>/../dir/a.cgi </li></ul></ul><ul><li>DOS/Win directory syntax </li></ul><ul><ul><li>'/'  '' </li></ul></ul><ul><li>NULL method processing </li></ul><ul><ul><li>GET </li></ul></ul><ul><li>Case sensitivity </li></ul><ul><ul><li>'abc'  'ABC' </li></ul></ul>Details @
  12. 12. Playbook – Let the games begin! <ul><li>How to attack HTTP filters across the stack </li></ul><ul><ul><li>Canocalization </li></ul></ul><ul><ul><li>Encoding </li></ul></ul><ul><ul><li>Method tampering </li></ul></ul><ul><ul><li>Poison NULL byte </li></ul></ul><ul><ul><li>Whitespace mis-formatting </li></ul></ul><ul><ul><li>Case Sensitivity </li></ul></ul>
  13. 13. Canocalization <ul><li>Process of converting data to the simplest form </li></ul><ul><li>Multiple representations </li></ul><ul><li>Normalization </li></ul><ul><ul><li>Should use simplest form before performing detection </li></ul></ul>
  14. 14. Canocalization <ul><li>Microsoft Security Bulletin MS05-004 </li></ul><ul><ul><li>ASP.NET Path Validation Vulnerability </li></ul></ul><ul><ul><ul><li>The Microsoft .NET forms authentication capability for ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) &quot;&quot; (backslash) or (2) &quot;%5C&quot; (encoded backslash), aka &quot;Path Validation Vulnerability.“ </li></ul></ul></ul><ul><li>Mozilla: </li></ul><ul><li>Internet Explorer: </li></ul>
  15. 15. Poison NULL Byte <ul><li>POST Rule Bypass Vulnerability </li></ul><ul><li>Vulnerable March 2007 </li></ul><ul><ul><li>ModSecurity </li></ul></ul><ul><li>ASCIIZ </li></ul><ul><ul><li>When assigning string data, the assignment will stop if an embedded NULL byte is encountered </li></ul></ul><ul><ul><li>str = &quot; ABC &quot; + &quot; &quot; + &quot; 123 &quot;; </li></ul></ul><ul><ul><li>str’s value is &quot; ABC &quot; </li></ul></ul>
  16. 16. Bypass WAF <ul><li>Content-Type: application/x-www-form-urlencoded </li></ul><ul><li>POST data starts with unencoded NULL byte </li></ul><ul><li>$ echo -e &quot; 00&var=<script>alert(/xss/);</script> &quot; > postdata </li></ul><ul><li>$ curl http://localhost/test.php --data-binary @postdata -A HarmlessUserAgent <script>alert(/xss/);</script> </li></ul>
  17. 17. Full-Width/Half-Width Unicode <ul><li>Bypass HTTP Filters </li></ul><ul><li>Vulnerable May 2007 </li></ul><ul><ul><li>Cisco, 3Com, McAfee, Novell, ISS, CheckPoint, ModSecurity </li></ul></ul><ul><li>An evasion not an exploit </li></ul><ul><li>Full-width question mark (?) = U+FF1F </li></ul>
  18. 18. Full-Width/Half-Width Unicode Attacks <ul><li><?php </li></ul><ul><li>$input_var = &quot; xefxbcx9Cscriptxefxbcx9Ealert(document.location)xefxbcx9C/scriptxefxbcx9E &quot;; </li></ul><ul><li>header( 'Content-Type: text/html; charset=ISO-8859-1' ); </li></ul><ul><li>echo iconv( 'UTF-8' , 'ISO-8859-1//TRANSLIT' , $input_var ); </li></ul><ul><li>?> </li></ul><ul><li>Output: </li></ul><ul><li>%uff1cscript%uff1Ealert('HAI')%uff1c/script%uff1E </li></ul><ul><li>%EF%BC%9Cscript%EF%BC%9Ealert(123)%EF%BC%9C/script%EF%BC%9E </li></ul>
  19. 19. HTTP Method Tampering <ul><li>Bypass URL Auth </li></ul><ul><li>Vulnerable June 2008 </li></ul><ul><ul><li>Apache 2.2.6/PHP, Tomcat, WebSphere, WebLogic/JSP, ASP.NET </li></ul></ul><ul><li>Security mechanism fails to restrict HTTP methods </li></ul><ul><li>GET functionality that is not idempotent or will execute with an arbitrary method </li></ul><ul><li>Does your HTTP security filter check for the “ROB” method? </li></ul>
  20. 20. HTTP Method Tampering <ul><li>RFC 2616: The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response </li></ul><ul><li>GET requests to /admin/ required to come from a user in the admin role </li></ul><ul><li>Expect HEAD,PUT,DELETE to be denied, right? </li></ul><ul><li>Make sure the deny list is explicitly defined </li></ul><ul><li>Attack: HEAD /delete_user.asp?uid=666 HTTP/1.1 </li></ul>
  21. 21. ASP.NET Validate Request
  22. 22. ASP.NET Framework XSS Filter <ul><li>ASP.NET 2.0 checks for: </li></ul><ul><ul><li>&# </li></ul></ul><ul><ul><li>< followed by (A-Z) or (a-z) then / or ! or ? </li></ul></ul><ul><ul><li>Skip strings that start with “__” e.g. __VIEWSTATE </li></ul></ul><ul><li>Attack: </li></ul><ul><li>&quot;></XSS/*-*/STYLE=xss:e/**/xpression(alert(123))> </li></ul>
  23. 23. Encoding Attack <ul><li>Directory Traversal Vulnerability </li></ul><ul><li>Vulnerable August 2008 </li></ul><ul><ul><li>Apache Tomcat </li></ul></ul><ul><li>When context.xml or server.xml allows 'allowLinking' and 'URIencoding' as 'UTF-8' </li></ul><ul><li>%c0%ae = . (dot) </li></ul><ul><li> </li></ul>
  24. 24. Evasions in RSnake’s XSS Cheat Sheet <ul><li>Null Byte </li></ul><ul><li>perl -e </li></ul><ul><li>'print &quot; <IMG SRC=javascript:alert(&quot;XSS&quot;)> &quot;;' > out </li></ul><ul><li>Case Insensitive </li></ul><ul><li><IMG SRC=JaVaScRiPt:alert('XSS') > </li></ul><ul><li>Tab </li></ul><ul><li><IMG SRC=&quot; jav ascript:alert('XSS'); &quot;> </li></ul><ul><li>Newline </li></ul><ul><li><IMG SRC=&quot; jav ascript:alert('XSS'); &quot;> </li></ul>
  25. 25. Encoding <ul><li>RFC 1738 </li></ul><ul><ul><li>Only alphanumeric and special characters “$-_.+!*'(),” can be included in the URL </li></ul></ul><ul><li>Space is not allowed %20 or + </li></ul><ul><li>RSnake’s cheat sheet contains 70 unique ways to encode < (Less than) </li></ul>
  26. 26. 70 Unique Ways to Encode < <ul><li>< </li></ul><ul><li>%3C </li></ul><ul><li>&lt </li></ul><ul><li>&lt; </li></ul><ul><li>&LT </li></ul><ul><li>&LT; </li></ul><ul><li>&#60 </li></ul><ul><li>&#060 </li></ul><ul><li>&#0060 </li></ul><ul><li>&#00060 </li></ul><ul><li>&#000060 </li></ul><ul><li>&#0000060 </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>&#x3c </li></ul><ul><li>&#x03c </li></ul><ul><li>&#x003c </li></ul><ul><li>&#x0003c </li></ul><ul><li>&#x00003c </li></ul><ul><li>&#x000003c </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>&#x000003c; </li></ul><ul><li>&#X3c </li></ul><ul><li>&#X03c </li></ul><ul><li>&#X003c </li></ul><ul><li>&#X0003c </li></ul><ul><li>&#X00003c </li></ul><ul><li>&#X000003c </li></ul><ul><li>&#X3C </li></ul><ul><li>&#X03C </li></ul><ul><li>&#X003C </li></ul><ul><li>&#X0003C </li></ul><ul><li>&#X00003C </li></ul><ul><li>&#X000003C </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>&#X000003C; </li></ul><ul><li>x3c </li></ul><ul><li>x3C </li></ul><ul><li>u003c </li></ul><ul><li>u003C </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>&#X000003c; </li></ul><ul><li>&#x3C </li></ul><ul><li>&#x03C </li></ul><ul><li>&#x003C </li></ul><ul><li>&#x0003C </li></ul><ul><li>&#x00003C </li></ul><ul><li>&#x000003C </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>< </li></ul><ul><li>&#x000003C; </li></ul>
  27. 27. Still Partying Like It’s 1999 <ul><li>Method matching </li></ul><ul><ul><li>GET  HEAD </li></ul></ul><ul><li>Url encoding </li></ul><ul><ul><li>HEX %xx notation </li></ul></ul><ul><li>Double slashes </li></ul><ul><ul><li>'/'  '//' </li></ul></ul><ul><li>Reverse traversal </li></ul><ul><ul><li>/dir/blahblah/../ </li></ul></ul><ul><li>Self-reference directories </li></ul><ul><ul><li>/dir/./././././ == /dir/ </li></ul></ul><ul><li>Premature request ending </li></ul><ul><ul><li>Stop at the first HTTP/1.? </li></ul></ul><ul><li>Parameter hiding </li></ul><ul><ul><li>%3f  ? </li></ul></ul><ul><li>HTTP mis-formatting </li></ul><ul><ul><li>%20  %09 (TAB) </li></ul></ul><ul><li>Long Urls </li></ul><ul><ul><li>  GET /<random>/../dir/a.cgi </li></ul></ul><ul><li>DOS/Win directory syntax </li></ul><ul><ul><li>'/'  '' </li></ul></ul><ul><li>NULL method processing </li></ul><ul><ul><li>GET </li></ul></ul><ul><li>Case sensitivity </li></ul><ul><ul><li>'abc'  'ABC' </li></ul></ul>
  28. 28. ASPROX (SQL Injection) Worm <ul><li>T-SQL CAST </li></ul><ul><ul><li>Converts an expression of one data type to another </li></ul></ul><ul><ul><li>HEX and ASCII encode attacks </li></ul></ul><ul><ul><li>Poison NULL byte </li></ul></ul><ul><li>DECLARE%20@S%20CHAR(4000);SET%20 </li></ul><ul><li>@S=C %00 AST(0x4445434C4152452040 </li></ul><ul><li>... </li></ul><ul><li>6F72%20AS%20CHAR(4000));EXEC(@S);-- </li></ul>
  29. 29. Regular Expressions Are Hard <ul><li>XSS Regex from ModSecurity </li></ul><ul><li>(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)W*?=|abort)|(?:l(?:owsrcW*?(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)W*?(?:(?:java|vb)script|shell)|mocha):|typeW*?(?:text(?:W*?(?:j(?:ava)?|ecma)script|[vbscript])|applicationW*?x-(?:java|vb)script)|s(?:(?:tyleW*=.*expressionW*|ettimeoutW*?)(|rcW*?(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|background-image:)|a(?:ctivexobject|lertW*?())|<(?:(?:body .*?(?:backgroun|onloa)d|input.*?typeW*?image)|![CDATA[|script|meta)|(?:.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|B@import)) </li></ul>
  30. 30. Catastrophic   Backtracking <ul><li>Do you worry about performance when writing a Regex? </li></ul><ul><li>Beware of backtracking </li></ul><ul><li>Can lead to exponentially more CPU time for each additional input character O( n 2 ) </li></ul><ul><li>Make sure there is no way to match the same match </li></ul><ul><li>Potential to DoS the filter? </li></ul>
  31. 31. Backtracking Example <ul><li>(x+x+)+y </li></ul><ul><ul><li>One or more of the character X </li></ul></ul><ul><ul><li>One or more of the character X </li></ul></ul><ul><ul><li>One or more of the previous two matches combined </li></ul></ul><ul><ul><li>Followed by a single character Y </li></ul></ul>
  32. 32. PHPIDS Regex Smoketest
  33. 33. PHPIDS Regex Smoketest
  34. 34. White lists are good, but… <ul><li>How many developers or QA engineers know the entire subset of strings they’ll match or miss? </li></ul><ul><li>What about signature writers? </li></ul><ul><li>Difficult to find a balance between FP and FN </li></ul><ul><li>The underlying signature engine can have problems </li></ul>
  35. 35. Regex Libs Can Have Vulnerabilities <ul><li>Perl-Compatible Regular Expression (PCRE) </li></ul><ul><ul><li>Many serious vulnerabilities </li></ul></ul><ul><ul><ul><li>CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007- 1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768 </li></ul></ul></ul><ul><li>Even if you do everything else right, the Regex lib you use might get attacked </li></ul>
  36. 36. Biggest Target: Application Layer <ul><li>What about the Transport Layer? </li></ul><ul><li>99 problems but TCP ain’t 1 </li></ul><ul><li>Wrong! </li></ul>
  37. 37. Session Splicing <ul><li>Network level attack </li></ul><ul><li>Send parts of the request in different packets </li></ul><ul><ul><li>&quot;GET / HTTP/1.0&quot; may be split across multiple packets to be </li></ul></ul><ul><ul><li>&quot;GE&quot;, &quot;T &quot;, &quot;/&quot;, &quot; H&quot;, &quot;T&quot;, &quot;TP&quot;, &quot;/1&quot;, &quot;.0&quot; </li></ul></ul><ul><li>Not the same as IP fragmentation </li></ul>
  38. 38. IP Fragmentation vs Session Splicing <ul><li>IP Fragmentations </li></ul><ul><ul><li>If the packet is too large for the link layer a router can split it into multiple fragments </li></ul></ul><ul><li>Session Splicing </li></ul><ul><ul><li>Purposefully delivering the payload over multiple packets to evade detection. Smaller than it needs to be. </li></ul></ul><ul><li>IDS Defense </li></ul><ul><ul><li>Fragment reassembly </li></ul></ul><ul><ul><li>Session reassembly </li></ul></ul><ul><ul><li>Send a reset [RST] </li></ul></ul>
  39. 39. State of the Evasion <ul><li>Does whisker’s session splicing tactic still work on Snort? </li></ul><ul><li>Answer: No </li></ul><ul><li>Why? </li></ul>
  40. 40. Session Splicing 1999 vs 2009 <ul><li>The current implementation in whisker will result in 1-3 characters in each packet, depending on your system and network speed </li></ul>1999 2009
  41. 41. Bypass Snort <ul><li>Pragmatic Session Splicing + Timing Attack </li></ul><ul><ul><li>Use the filter’s signatures to split the payload </li></ul></ul><ul><ul><li>Vulnerable if the IDS stateful inspection timeout is less than session reassembly of the hosts it protects </li></ul></ul><ul><ul><li>Similar to fragmentation attack but instead of at the IP level we move up to the TCP level </li></ul></ul>
  42. 42. Time Splicer <ul><li>The attack is practical if we split the session on the matches found by the signature we're trying to evade </li></ul><ul><li>Attack: </li></ul><ul><li>GET /index.php?param=<script>alert(123)</script> HTTP/1.1 </li></ul><ul><li>Signature: Matches on <script>|</script> tags </li></ul><ul><li>Know the stateful inspection timeout for the IDS </li></ul><ul><li>Recursively find matches and split the attack string, then send each splice in a new packet with time delay between each packet </li></ul>
  43. 43. Snort Preprocessors <ul><li>HTTP Inspect + Stream4 </li></ul><ul><li>Stateful inspection </li></ul><ul><li>Default timeout is 30 seconds </li></ul><ul><li># stream4: stateful inspection/stream reassembly for Snort </li></ul><ul><li>#------------------------------------------------------------ # Use in concert with the -z [all|est] command line switch to defeat # stick/snot against TCP rules. Also performs full TCP stream # reassembly, stateful inspection of TCP streams, etc. Can statefully # detect various portscan types, fingerprinting, ECN, etc. </li></ul><ul><li># stateful inspection directive </li></ul><ul><li># no arguments loads the defaults ( timeout 30 , memcap 8388608) </li></ul>
  44. 44. <ul><ul><li>POST /rootlogin.asp HTTP/1.1 </li></ul></ul><ul><ul><li>Host: </li></ul></ul><ul><ul><li>Keep-Alive: 300 </li></ul></ul><ul><ul><li>Content-Type: application/x-www-form-urlencoded </li></ul></ul><ul><ul><li>Content-Length: 102 </li></ul></ul><ul><ul><li>txtPassPhrase=&txtName=%3Cs </li></ul></ul><ul><ul><li>… WAIT 30s… </li></ul></ul><ul><ul><li>cript%3Ealert%283%29%3C%2F </li></ul></ul><ul><ul><li>… WAIT 30s… </li></ul></ul><ul><ul><li>script%3E&txtHidden=This+was+hidden+from+the+user </li></ul></ul>
  45. 46. Default Session Timeouts <ul><li>What can you do? </li></ul><ul><li>Fingerprint for the Server and Application technology </li></ul><ul><li>Fingerprint an IDS </li></ul>Server Type Timeout Apache/PHP 10 minutes IIS 5.0/ASP 15 minutes IIS 6.0/ASP.NET 20 minutes IIS 7.0/ASP.NET 20 minutes
  46. 47. DEMO <ul><li>Time Splicer </li></ul>
  47. 48. Questions?
  48. 49. Rob Ragan ( [email_address] ) <ul><li>Check out the HP Security Laboratory on the Blogosphere </li></ul><ul><li> </li></ul>