Bugtraq: Re: New Snort Bypass - Patch

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: New Snort Bypass - Patch - Bypass of Patch

From: "M. Dodge Mumford" <dodge () nfr net>
Date: Fri, 2 Jun 2006 19:16:38 -0400

Sigint Consulting said:

However we can once again bypass this by including our CR character
before our string like so:

perl -e 'print "GET \x0d/index.php\x90\x90 HTTP/1.0\n\r\n"'|nc
192.168.1.3 80

No alert is generated from the string above.


[...]

We are not sure how much this may buy an attacker as the CR character
may mess up any requests to the webserver, further research is needed
on this.


I performed this research while developing NFR's web signatures, and found
that all web servers I tested (several years ago) handled end-of-lines using
"\x0d\x0a" and "\x0a" interchangeably. If you find a web server that
interprets "index.php" in the example above as an actual filename, I for one
would be very interested in knowing about it.



-- 

Dodge

Attachment: _bin
Description:

By Date By Thread

Current thread:

New Snort Bypass - Patch - Bypass of Patch Sigint Consulting (Jun 02)
- Re: New Snort Bypass - Patch - Bypass of Patch M. Dodge Mumford (Jun 02)
  - Re: New Snort Bypass - Patch - Bypass of Patch M. Dodge Mumford (Jun 04)
    - Re: New Snort Bypass - Patch - Bypass of Patch Pukhraj Singh (Jun 05)