p3rlhax posted about a vulnerability found in Blojsom today. The exploit itself breaks out of encapsulation and runs the vector. Here are the details. Along with it p3rlhax included a snort signature that is intended to catch his own vector. At first I thought that was pretty cool, but then I took a look at what it actually said. Here’s the signature:
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: “Blojsom Weblog XSS exploit”; flow:to_server; content:”POST”; depth:4; nocase;
rss-enclosure-url|technorati-tagsi| blog-category-name) .*=.*%3cscript%3e.*%3c%2fscript%3e.*&/i”;
classtype:web-application-activity; sid:9999994; rev:1;)
The part that caught my eye was %3cscript%3e.*%3c%2fscript%3e. Can you spot the obvious mistakes here? The first is that it is not a requirement that I end the HTML tag immediately after the word “script”. I can put all sorts of junk in there. Secondly, there are oh, a hundred or so ways to bypass using script tags. Ouch.
This is exactly why I think network security is a dying creature. Sure, you still need it, but it’s completely commoditized and easy to circumvent now. It feels like 1998 all over again today. Rain Forrest Puppy proved most of the IDSs out there could be evaded, but the signatures themselves are just as easy to evade. Maybe Richard Steinnon was right. Maybe IDSs really are dead. Detection will always be a part of prevention, but regex just isn’t cutting it when you are talking about states that go well beyond the state of a packet or even a TCP/IP session.