[20971] in bugtraq
Re: IDS's, host: headers, and .printer ISAPI overflow as an example
daemon@ATHENA.MIT.EDU (Riley Hassell)
Mon Jun 11 19:24:51 2001
Message-ID: <008101c0f2a0$a2c56af0$4301a8c0@cypher>
From: "Riley Hassell" <riley@eeye.com>
To: <bugtraq@securityfocus.com>
Date: Mon, 11 Jun 2001 11:02:10 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
A malicious attacker could also bypass IDS's that do a string length check
as means to identify the .printer overflow.
(the overflow occurs in a string concatenation function, not a copy :)
For example:
--------------------------------------------------
GET /X.printer HTTP/1.1
Host: 50 bytes
Host: 50 bytes
Host: 50 bytes
Host: 50 bytes
Host: 50 bytes
Host: 50 bytes
Host: 50 bytes
Host: 50 bytes
...etc
--------------------------------------------------
An attacker can bypass almost any length check by using multiple payloads.
...and as Marc said, making shellcode to bypass any shellcode check is
possible. The only part of a payload that needs to remain executable is the
initial decoding/decrypting engine. If an attacker writes his engine in non
highbit bytes, detection becomes very hard. ALPHA/ASCII engines are really
bad news for the security industry.
So:
--------------------------------------------------
GET /X.printer HTTP/1.1
Host: ENGINE
Host: ENCRYPTED_PAYLOAD1, jmp 2
Host: ENCRYPTED_PAYLOAD2, jmp 3
Host: ENCRYPTED_PAYLOAD3, jmp 4
Host: ENCRYPTED_PAYLOAD4, jmp 5
Host: ENCRYPTED_PAYLOAD5, jmp 6
Host: ENCRYPTED_PAYLOAD6, jmp 7
Host: ENCRYPTED_PAYLOAD7, jmp 8
...etc
--------------------------------------------------
Checking for multiple host fields would be sufficient to stop this variant,
but using other HTTP variables would bypass that fix.
We could also store our payload in HEAP during a previous session. IIS ISAPI
HEAP can be reached using ASCII values. So all we need to do in the
attacking
session is send a feasible buffer with 4 ASCII bytes appended to it.
We could of course detect buffer length, unless the overflow can be
triggered due to a formatting problem or concatenation.
... :(
Possible Solution:
Reduce the window of opportunity overall, allowing what you need, stop the
rest all the way down ladder...
>From the application layer to the hardware layer...
I could go on for quite some time why matching patterns in a patternless
world isn't the silver bullet security solution, but a good IDS will catch
the majority of attacks.
...kinda like stopping people with funny T-shirts coming through customs...
Riley Hassell
Vulnerability Developer
eEye Digital Security
Get up...
and light the world on fire.
