Cenzic 232 Patent
Paid Advertising
web application security lab

IDS Evasion

p3rlhax posted about a vulnerability found in Blojsom today. The exploit itself breaks out of encapsulation and runs the vector. Here are the details. Along with it p3rlhax included a snort signature that is intended to catch his own vector. At first I thought that was pretty cool, but then I took a look at what it actually said. Here’s the signature:

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: “Blojsom Weblog XSS exploit”; flow:to_server; content:”POST”; depth:4; nocase;
pcre:”/(blog-category-description|blog-entry-title|rss-enclosure-url|technorati-tagsi|blog-category-name).*=.*%3cscript%3e.*%3c%2fscript%3e.*&/i”;
classtype:web-application-activity; sid:9999994; rev:1;)

The part that caught my eye was %3cscript%3e.*%3c%2fscript%3e. Can you spot the obvious mistakes here? The first is that it is not a requirement that I end the HTML tag immediately after the word “script”. I can put all sorts of junk in there. Secondly, there are oh, a hundred or so ways to bypass using script tags. Ouch.

This is exactly why I think network security is a dying creature. Sure, you still need it, but it’s completely commoditized and easy to circumvent now. It feels like 1998 all over again today. Rain Forrest Puppy proved most of the IDSs out there could be evaded, but the signatures themselves are just as easy to evade. Maybe Richard Steinnon was right. Maybe IDSs really are dead. Detection will always be a part of prevention, but regex just isn’t cutting it when you are talking about states that go well beyond the state of a packet or even a TCP/IP session.

8 Responses to “IDS Evasion”

  1. /pd Says:

    ahhhhhhhhhhh.. I read a cite to rfp .. quite some time since i have heard what this handle has been doing !!

    Any ideas ??? :)-

  2. David Kierznowski Says:

    This has been coming. We are pushing so much over HTTP (I blame firewalls) that is has now become a nightmare nigh impossible to secure.

  3. RSnake Says:

    /pd, well, his site is back online: http://www.wiretrip.net/rfp/

    I heard various rumors about what he was up to… working for a computer magazine at some point and then living somewhere in northern California for a while. After that I don’t know. I haven’t talked to him personally since before he dropped offline.

    David, you’re exactly right… but this is a common problem I’ve seen in security. When you tighten down one thing the attackers simply shift to the next vector. Yes, I’d love for it still to be a network security game, but times have changed. For anyone who is left in the network security realm, it’s a tough world right now.

    BTW, I’ve been meaning to write something about your PDF backdoors. Very interesting stuff. Right in line with pdp’s quicktime issues, only I like it even better, because PDF is one of those things people assume is safe.

  4. InfoSecPodcast Says:

    Network security a dying creature?…

    I saw a post from RSnake at ha.ckers.org titled IDS Evasion. It’s one of the blogs I really enjoy reading. This post talks about the recent vulnerability in Blojsom. A security researcher submitted a Snort signature to detect someone trying to ex…

  5. p3rlhax Says:

    I agree that there may be ways and means to circumvent the snort sig I published. But then, I think security has always been based on the philosophy that if the time and effort required to break into, a and exploit a system is greater than the reward, then that much security should suffice.

    On a more pragmatic note, there is also the fact of writing too generic a signature that trips far too often so as to make it worthless, as against writing something more specific that could be evaded by some clever hacks but catches 90% of the cases. I think the IDS/IPS community would probably go for the latter.

    As for XSS, the only true test of an effective exploit, is whether the browser will execute the injected script. The more we try to evade the security mechanism, whether it is implemented using filters or IDS/IPS, the harder it gets to write an exploit that will eventually execute. I am not suggesting that an IPS like snort should be the only mechanism to catch a vulnerability, but a combination of an IPS, an appfirewall and filters would make writing a viable exploit hard enough, that it will not be worthwhile to invest time and money into doing so. Considering that there are a host of protection mechanisms, each one should be tuned to optimize false positives, performance and at the same time be effective when put together.

  6. RSnake Says:

    Hi, p3rlhax, thanks for writing, although I think you may be missing the point of my post. That signature is not just possible to circumvent, it’s trivially easy:

    <script a=b>alert(”XSS”)</script>

    Every modern browser on earth that supports JavaScript will execute that, so as for the “true test” you proposed - that vector is perfect. I agree that writing more and more complex filters narrows the exploit effectiveness (probably) but in this case it hasn’t been narrowed at all. So in my mind all you have stopped is the exact test vector you’ve written, nothing more. Anyone with even basic understanding of HTML and regex could bypass that signature.

    I guess I’m proposing that signatures do have a purpose, but only when they actually limit/detect the attack and in this case to avoid detection it requires modifying the vector only slightly and that does not limit the vector at all.

  7. p3rlhax Says:

    Point taken. The question still remains if it is possible to write an effective signature / (regex) that catches most vectors which are guarenteed to execute in the browser. I think the signature can be broken up into parts.

    1. The character used to escape out of the HTML (e.g ‘ | >’> | etc). I think this is pretty specific to a vulnerable field and can be used to write a specific signature for a specific known vulnerable field.

    2. The actual executable script. (e.galert(’XSS’) | etc). Various variations of this can be used to execute a script and it is probably harder to write a signature that matches this part of the attack vector.

    Two questions that spring to mind are:
    1. Is it possible to write a signature to match almost all cases in which an injection string will execute in the browser

    2. If so what is the grammar ( regex) for such an injection string.
    I would like to start a discussion on coming up with a regex that us best at capturing all such scripts.

    I guess the first improvment to the above signature is to match for a number of characters after the string “script” (e.g )and “”

    ā€/(blog-category-description|blog-entry-title|rss-enclosure-url|technorati-tagsi|blog-category-name).*=.*%3cscript.*%3e.*%3c%2fscript.*%3e.*&/iā€

  8. RSnake Says:

    Let’s do this on the forums, because wordpress tends to remove characters. I started the thread already here: http://sla.ckers.org/forum/read.php?6,665