Re: IDS's, host: headers, and .printer ISAPI overflow as an example

From: Riley Hassell (rileyat_private)
Date: Mon Jun 11 2001 - 11:02:10 PDT

Next message: Brian J. Kifiak: "Re: [PkC] Advisory #005: Default Slackware 7.1 installation /etc/shells perms bug"

Previous message: Linux Mandrake Security Team: "MDKSA-2001:055 - xinetd update"
Maybe in reply to: Marc Maiffret: "IDS's, host: headers, and .printer ISAPI overflow as an example"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A malicious attacker could also bypass IDS's that do a string length check
as means to identify the .printer overflow.

(the overflow occurs in a string concatenation function, not a copy :)

For example:
--------------------------------------------------
GET /X.printer HTTP/1.1
Host: 50 bytes
Host: 50 bytes
Host: 50 bytes
Host: 50 bytes
Host: 50 bytes
Host: 50 bytes
Host: 50 bytes
Host: 50 bytes
...etc
--------------------------------------------------

An attacker can bypass almost any length check by using multiple payloads.

...and as Marc said, making shellcode to bypass any shellcode check is
possible. The only part of a payload that needs to remain executable is the
initial decoding/decrypting engine. If an attacker writes his engine in non
highbit bytes, detection becomes very hard. ALPHA/ASCII engines are really
bad news for the security industry.

So:
--------------------------------------------------
GET /X.printer HTTP/1.1
Host: ENGINE
Host: ENCRYPTED_PAYLOAD1, jmp 2
Host: ENCRYPTED_PAYLOAD2, jmp 3
Host: ENCRYPTED_PAYLOAD3, jmp 4
Host: ENCRYPTED_PAYLOAD4, jmp 5
Host: ENCRYPTED_PAYLOAD5, jmp 6
Host: ENCRYPTED_PAYLOAD6, jmp 7
Host: ENCRYPTED_PAYLOAD7, jmp 8
...etc
--------------------------------------------------

Checking for multiple host fields would be sufficient to stop this variant,
but using other HTTP variables would bypass that fix.

We could also store our payload in HEAP during a previous session. IIS ISAPI
HEAP can be reached using ASCII values. So all we need to do in the
attacking
session is send a feasible buffer with 4 ASCII bytes appended to it.

We could of course detect buffer length, unless the overflow can be
triggered due to a formatting problem or concatenation.

... :(

Possible Solution:
Reduce the window of opportunity overall, allowing what you need, stop the
rest all the way down ladder...
>From the application layer to the hardware layer...

I could go on for quite some time why matching patterns in a patternless
world isn't the silver bullet security solution, but a good IDS will catch
the majority of attacks.

...kinda like stopping people with funny T-shirts coming through customs...


Riley Hassell
Vulnerability Developer
eEye Digital Security

Get up...
and light the world on fire.

Next message: Brian J. Kifiak: "Re: [PkC] Advisory #005: Default Slackware 7.1 installation /etc/shells perms bug"
Previous message: Linux Mandrake Security Team: "MDKSA-2001:055 - xinetd update"
Maybe in reply to: Marc Maiffret: "IDS's, host: headers, and .printer ISAPI overflow as an example"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 11 2001 - 16:24:40 PDT