Evading IDS detection on CGI attacks Vulnerable systems: CGI.pm Not Vulnerable: ASP, EXE based CGIs, and most other UNIX based CGIs (non CGI.pm) seem to be immune Summary: CGI.pm seems to have a different behavior from other CGI parsers. As you can notice from the CGI query structure, every value name pair is separated by a '&' sign. It seems that CGIs based on CGI.pm can parse such value name pairs even if they are separated by a ';'. The RFC is not very clear on whether '&' and ';' should be used, but rather refers them both to Reserved characters. The replacing of '&' and ';' enables launching CGI attacks while evading IDS detection, because the name value pair breakdown would be done differently. For example: A CGI running under the CGI.pm environment would understand both: http://host/cgi-bin/test.cgi?a=b&c=d&e=f And http://host/cgi-bin/test.cgi?a=b;c=d;e=f As: A CGI query to test.cgi, with the names of a, c, d, and their corresponding values. Impact: The next step would be to confirm: 1) What IDSes are fooled by this attack? 2) Can this be used to attack other CGI checking mechanisms such as content filters, etc? 3) Perhaps knowing that the remote CGI is based on CGI.pm is dangerous by itself? Thanks Noam Rathaus http://www.SecurITeam.com http://www.BeyondSecurity.com
This archive was generated by hypermail 2b30 : Mon Feb 25 2002 - 17:29:14 PST