Apache 2 ignores any combination of the following bytes before the URI:
0x09 0x0b 0x0c 0x0d 0x20 (man isspace)
If you specify 0x0a before the URI, it causes Apache to truncate the
request, so in most cases this results in the index.html page being
returned. Try your 0x0a example again with a non-index.html URI and it
will still serve up the main page.
IPS/IDS has all sorts of problems with whitespace. For example, take any
PCRE-based matching engine, look for any sigs that use the \s or \S
sequences to match on whitespace, then compare that to what the actual
server software considers as whitespace. In many cases, you can bypass an
"string too long" check by using 0x0c or 0x0b as the filler between
commands and arguments (FTP, SMTP, HTTP, etc).
Lets take a fictional PCRE match that looks for a FTP MKD command with an
argument longer than 1024 bytes:
"MKD\s+\S{1024}"
If the FTP server doesn't use the same character set to parse command
lines, this is trivial to fool, either by padding the argument or by
inserting a fake whitespace byte somewhere before the 1024 limit is
reached. This problem probably affects snort, netscreen, and any other
IPS that depends on PCRE-compatible engines. Fixing it would require
someone to review every single vulnerable piece of server software and
determine what bytes are actually treated as whitespace or rewrite the
rule in a way that doesn't depend on \s.
Brian Caswell and I will be speaking about IPS evasion at the Black Hat
security conference in Las Vegas (August 2-3, 2006). The talk will dig
into the systematic issues with most intrusion detection/prevention
systems.
-HD
On Saturday 03 June 2006 12:41, Sigint Consulting wrote:
> Further research on the snort vulnerability reveals that the \x0a
> character will also evade the snort preprocessor AND apache will return
> a valid response. (Testing \x0a before a malicious unicode string did
> not generate a snort alert)
Received on Jun 05 2006
Intro
