Create an Account
username: password:
 
  MemeStreams Logo

MemeStreams Discussion

search


This page contains all of the posts and discussion on MemeStreams referencing the following web page: Web hackers 9999, IDS 0. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

Web hackers 9999, IDS 0
by Acidus at 4:04 am EDT, May 22, 2007

Canonicalization, much like life, is a bitch. Yet another way higher character encodings get downgraded into lower character encodings, bypassing IDS/IPS signatures.

Oh course, this is just another example of the fundamental problem: IDS aren't looking at the same bytes the destination service is looking at. Arian Evans does a good job scoping this:

Somewhere along the path from HTTP protocol --> to app untrusted entry point --> to parser, there are several possible layers of decoding. These could include:

-Web Sever itself
-Web Server plugin
-Canonicalization in framework (e.g.-some .NET modules)
-Canonicalization steps in web app code.
-Decoding and interpretation by shellscripts and the like.
-Decoding certain encoding types for normalization (see this a lot in PHP, or cookies base64 file-system encoded, etc.)
-etc.

This means that:

It is possible for an app to have one or more layers of canonicalization/conversion, allowing for even crazy things like double and triple-encoding, which IDS/IPS do not handle at all over HTTP

My homies in X-Force are going to have a shitty day tomorrow...

... but not as shitty as Bob Auger is going to have. I remember him starting to do this about 6 months ago, but he wasn't the one who broke the news. Bummer.


 
RE: Web hackers 9999, IDS 0
by Decius at 12:35 pm EDT, May 22, 2007

Acidus wrote:
My homies in X-Force are going to have a shitty day tomorrow...

Why is that? ISS shipped a patch for the issue you're linking on May 8th, per your link.


 
RE: Web hackers 9999, IDS 0
by arian at 5:20 pm EDT, May 23, 2007

Acidus wrote:

My homies in X-Force are going to have a shitty day tomorrow...

It's funny the perspective that this will get "patched". There are just too many permutations in the wild, and I've yet to see an IDS properly stream re-assemble, decompose a protocol message, identify encoded blocks within the message, and canonicalize them to their most common or reducible form applicable to the application.

I mean, come on: it's a crazy complex job. Not to mention that to attempt every variation on the fly would be too expensive performance-wise.

Ultimately there is no way these products can infer the decoded state of a message and reduce to that level for IDS/IPS/FW analysis, unless they compare encoded blocks on input with decoded blocks on output for client-side UA attacks. Unless they have host agents, they have no real way to correlate and deduce state within an application to identify server-side attacks.

Acidus wrote:
... but not as shitty as Bob Auger is going to have. I remember him starting to do this about 6 months ago, but he wasn't the one who broke the news. Bummer.

1. I started down this path in 2000, btw//.

2. I started down this path after being fascinated with what the VXers were doing with their encoded envelopes, and wondering how that applied to my web apps.

3. I really got woken up when K2 showed me his polymorphic shell-code preso before CanSec at Frank Heidt's SeaBeckCon conference. Some random hotel lobby around the sound in Seattle, never forget that, total "duh" moment.

4. We built some tools & charts to do this stuff at my last employer (to assist in testing by hand), that were far more capable than anything released by any commercial webappsec testing vendor. We waltzed through some security platforms and most WAFs doing this. I mean: F5's WAF (the Magnifier thing) couldn't even handle chunked encoding properly just a couple of years ago.

5. I've been working on a cookbook to publish on this for a long time now. Not sure where in the world you get time to finish your research, but I should (will?) probably wrap this up soon if I can find the time.

There's just a lack of good resources out there, so this is all black magic mystery to most.

Thanks for the kind notes; now I have to quit making fun of your constant web 2.0/ajax worm stuff. :)

Arian


  
RE: Web hackers 9999, IDS 0
by Acidus at 2:05 pm EDT, May 24, 2007

arian wrote:
I mean, come on: it's a crazy complex job. Not to mention that to attempt every variation on the fly would be too expensive performance-wise.

I agree that most of Layer 7 is going to be beyond IDS/IPS. Its simply a matter of normailzation. Layers 3 and Layers 4 represented in relatively normal forms.

TCP/IP stacks don't speak Shift_JIS or UTF-16, let alone nested encodings.

Not sure where in the world you get time to finish your research, but I should (will?) probably wrap this up soon if I can find the time.

Smack. Red Bull and Smack.

Thanks for the kind notes; now I have to quit making fun of your constant web 2.0/ajax worm stuff. :)

I've got some stuff up my sleeve I think you'll enjoy...


 
 
Powered By Industrial Memetics