Copyright © 2009 Stonesoft Corporation. All rights reserved. Advanced Network Based IPS Evasion Techniques Antti Levomäki, Christian Jalio, Olli-Pekka

Copyright © 2009 Stonesoft Corporation. All rights reserved.

Advanced Network Based IPS Evasion Techniques

Antti Levomäki, Christian Jalio, Olli-Pekka Niemi

28 October 2009


Intrusion Prevention Systems should protect vulnerable hosts from remote exploits

Exploits can apply multiple evasion method to bypass the detection of Intrusion Prevention Systems and break into the remote system

Hack.Lu 2009

Introduction


There are hacking tools which apply multiple evasion techniques

However, these tools are more exploit oriented and not evasion oriented


IP Fragmentation with manipulated fragment size and order

TCP segmentation with manipulated segment size and order

SMB Fragmentation SMB Transaction Write Method MSRPC Multibind (bind to multiple ”unnecessary or non-

existent” context + the vulnerable context MSRPC fragmentation MSRPC encryption

Known Evasions Implemented various testing tools…


IP Random Options TCP Time Wait TCP Urgent Pointer SMB Write/Read Padding SMB Transaction Method fragmentation SMB Session Mixing MSRPC Alter Context MSRPC Object Reference MSRPC Endian Manipulation

Not So Known Evasions, Implemented in ???


IPS signatures can be evaded completely if the protocol stacks do not understand the evasions and normalize the traffic

Example: SMB and MSRPC signatures should not worry about fragmentation, padding , extra methods or other randomizations

The Power of Evasion Methods


Fill IP Packet with random Options If the target host and the IPS device

disagree about the validity of the packet, the target host may see different data than the IPS

IP

Random Options


Open and close a TCP connection. Open a new TCP-connection to the same service using the same TCP-source port. According the TCP RFC, the TCP client MUST wait ”TIME-

Wait Delay” amount of seconds before reusing a port.

If the attacker uses his own TCP/IP Stack, he can open and close a TCP-connection and immediately open a new TCP connection using the same source port. The IPS stack should handle new connections as

new connections regardless of the TIME-Wait-Delay

TCP Evasion

TCP Time Wait


Insert one byte into a TCP-stream. TCP-Server chooses whether to use or discard

the added byte. An IPS device inspection can be evaded by

clever use of the urgent pointer. Example

TCP Stream: GETP / (P is urgent data) IPS sees: GETP / Apache sees: GET /

TCP Evasion

TCP Urgent Pointer


It is possible to use multiple resources over the same SMB-session within the single TCP-connection at same time. Simultaneously read and write into

multiple files

SMB Evasion

SMB Session Mixing


The write and read commands have an offset pointer that can be used for padding.

All data after the SMB header till the

pointed byte should be discarded.

SMB Evasion

SMB Write/Read Padding


SMB Trans Act Write Method The SMB Protocol allows the

fragmentation of Transaction messages by using ”Transaction secondary” messages.

SMB Evasion

SMB Transaction Method


MSRPC Object Reference Adding an Object Reference (UUID) to an

MSRPC Request Header enlarges the header by 16 bytes, and thus moves the MSRPC payload 16 bytes forward.

MSRPC Evasion

MSRPC Object Reference


The client may change the current context using the Alter Context Method. All subsequent requests then go to the new context Example: The client binds to non

vulnerable context and then changes into a vulnerable context and sends the exploit.

MSRPC Evasion

Alter Context


MSRPC protocol allows both big- and little- endian encoding Windows hosts normally use the little-

endian encoding Hackers should use big endian for obvious

reasons…

MSRPC Endianness


Introducing Predator

Evasion Fuzzer Use multiple random evasion techniques

simultaneously in multiple layers

Transmit the same payload until successful


Evasions in Predator

Evasions for attack "CVE-2008-4250 “ IP fragmentation, --ip_frag:

8byte: Fragment IP payload into 8 byte fragments 16byte: Fragment IP payload into 16 byte fragments 24byte Fragment IP payload into 24 byte fragments 256byte Fragment IP payload into 256 byte fragments random_order: Send fragments in a random order out_of_order: Send one fragment out of order fwd_overwrite Perform forward overwriting with fragments last_first Send last fragment first one_duplicate Send one duplicate fragment

IP evasion, --ip_evasion: random_options: Send random IP options


TCP fragmentation, --tcp_frag: 1byte Fragment TCP payload into 1 byte segments

TCP evasion, --tcp_evasion: time_wait Open a decoy connection and attack from same ip:port

while in time-wait urgent_ptr Insert meaningless data into 1 byte urgent segments


SMB fragmentation, --smb_frag: 16byte Fragment SMB payload into 16 byte fragments 256byte Fragment SMB payload into 256 byte fragments

SMB evasion, --smb_evasion: andx_connect Negotiate SMB session and connect to a tree connect an

AndX message decoy_trees Open decoy SMB tree connects in the same TCP stream as

the attack read_offset Use random offsets in SMB read operations pad_write_random Pad SMB write commands with a random sized block

of random data pad_write_static Pad SMB write commands with a static sized block of

random data random_write_method Use a random SMB write method ( TRANSACT /

WRITE ) write_offset Use random offsets in SMB write operation


MSRPC fragmentation, --msrpc_ frag: 16byte Fragment MSRPC payload into 16 byte fragments 256byte Fragment MSRPC payload into 256 byte fragments

MSRPC evasion, --msrpc_evasion: big_endian Communicate in big endian format random_object: Add a random object reference to MSRPC requests alter_context: Bind to a random context and then alter to the correct


Hunting High and Low

Initializing IPForge based on the configuration..

Started at IP 10.0.215.32, MAC de:ad:01:00:01:02. Attacking against 10.0.215.101

Exploit run 1: TCP fragstyle: 1byte, TCP evasion: urgent_ptr, SMB fragstyle: 16byte, MSRPC evasion: random_object}

Exploit run 2: SMB evasion: read_offset, MSRPC evasion: big_endian,random_object,alter_context}

Exploit run 3: SMB evasion: decoy_trees,pad_write_static, MSRPC evasion: random_object,alter_context}

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>


Hunting High and Low

Initializing IPForge based on the configuration..

Started at IP 10.0.215.32, MAC de:ad:01:00:01:02. Attacking against 10.0.215.101

Exploit run 1: TCP fragstyle: 1byte, TCP evasion: urgent_ptr, SMB evasion:andx_connect,pad_write_static,random_write_method,write_offset, MSRPC evasion: alter_context}

Exploit run 2: TCP evasion: time_wait, SMB evasion: decoy_trees,read_offset,pad_write_static

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>


DEMO

Copyright © 2009 Stonesoft Corporation. All rights reserved.Slide 24

www.stonesoft.com

Documents

Copyright © 2009 Stonesoft Corporation. All rights reserved. Advanced Network Based IPS Evasion Techniques Antti Levomäki, Christian Jalio, Olli-Pekka