A malicious attacker could also bypass IDS's that do a string length check as means to identify the .printer overflow. (the overflow occurs in a string concatenation function, not a copy :) For example: -------------------------------------------------- GET /X.printer HTTP/1.1 Host: 50 bytes Host: 50 bytes Host: 50 bytes Host: 50 bytes Host: 50 bytes Host: 50 bytes Host: 50 bytes Host: 50 bytes ...etc -------------------------------------------------- An attacker can bypass almost any length check by using multiple payloads. ...and as Marc said, making shellcode to bypass any shellcode check is possible. The only part of a payload that needs to remain executable is the initial decoding/decrypting engine. If an attacker writes his engine in non highbit bytes, detection becomes very hard. ALPHA/ASCII engines are really bad news for the security industry. So: -------------------------------------------------- GET /X.printer HTTP/1.1 Host: ENGINE Host: ENCRYPTED_PAYLOAD1, jmp 2 Host: ENCRYPTED_PAYLOAD2, jmp 3 Host: ENCRYPTED_PAYLOAD3, jmp 4 Host: ENCRYPTED_PAYLOAD4, jmp 5 Host: ENCRYPTED_PAYLOAD5, jmp 6 Host: ENCRYPTED_PAYLOAD6, jmp 7 Host: ENCRYPTED_PAYLOAD7, jmp 8 ...etc -------------------------------------------------- Checking for multiple host fields would be sufficient to stop this variant, but using other HTTP variables would bypass that fix. We could also store our payload in HEAP during a previous session. IIS ISAPI HEAP can be reached using ASCII values. So all we need to do in the attacking session is send a feasible buffer with 4 ASCII bytes appended to it. We could of course detect buffer length, unless the overflow can be triggered due to a formatting problem or concatenation. ... :( Possible Solution: Reduce the window of opportunity overall, allowing what you need, stop the rest all the way down ladder... >From the application layer to the hardware layer... I could go on for quite some time why matching patterns in a patternless world isn't the silver bullet security solution, but a good IDS will catch the majority of attacks. ...kinda like stopping people with funny T-shirts coming through customs... Riley Hassell Vulnerability Developer eEye Digital Security Get up... and light the world on fire.
This archive was generated by hypermail 2b30 : Mon Jun 11 2001 - 16:24:40 PDT