Return-Path: <sentto-279987-2710-1002252192-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Thu, 04 Oct 2001 20:29:33 -0700 (PDT) Received: (qmail 24576 invoked by uid 510); 5 Oct 2001 03:25:40 -0000 Received: from n23.groups.yahoo.com (216.115.96.73) by 204.181.12.215 with SMTP; 5 Oct 2001 03:25:40 -0000 X-eGroups-Return: sentto-279987-2710-1002252192-fc=all.net@returns.onelist.com Received: from [10.1.1.220] by n23.groups.yahoo.com with NNFMP; 05 Oct 2001 03:25:38 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_4_1); 5 Oct 2001 03:23:12 -0000 Received: (qmail 88137 invoked from network); 5 Oct 2001 03:23:12 -0000 Received: from unknown (10.1.10.142) by 10.1.1.220 with QMQP; 5 Oct 2001 03:23:12 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta3 with SMTP; 5 Oct 2001 03:25:32 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id UAA02898 for iwar@onelist.com; Thu, 4 Oct 2001 20:25:20 -0700 Message-Id: <200110050325.UAA02898@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 4 Oct 2001 20:25:20 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:On.IDS.Evasion,.Vulnerabilities,.and.Vendor.Hype] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit On IDS Evasion, Vulnerabilities, and Vendor Hype Recently a disturbing event played out in the IDS world. A security company released an advisory regarding the ability to bypass IDS signatures. This is disturbing because it conveys the impression that otherwise, it was not possible to bypass IDS systems. This is not true. IDS, especially Network IDS, is not mathematics. It is more like psychology; it is far from perfect. Historically, when NIDS evasion tactics have been uncovered, they have been written about in papers and discussed in forums. Everyone knows that NIDS is an immature and evolving technology and that no vendor can provide complete security. Well, everyone _should_ know. A dependency on signatures will only go so far in detecting attacks. Protocol analysis goes one step further, but still will not provide perfect detection for all types of attacks in all types of environments. Anomaly detection has its uses and issues. Depending on the IDS vendor, there are many ways to sneak some known attacks by signatures that are supposed to detect those attacks. To release all such methodologies as advisories at this stage of maturity in the technology is pointless, unless one is seeking publicity. IDS vendors sometimes must completely rewrite parts of their engines to detect evasion methodologies. How long was it before some vendors got fragmentation reassembly? Vendors simply are not ready to offer perfect detection, or even pretend to. Vendor Hype Eeye cast the first stone with their advisory %u encoding IDS bypass vulnerability (<a href="http://www.securityfocus.com/advisories/3552">http://www.securityfocus.com/advisories/3552>). Certainly the issue that Eeye discovered is an important one and needed to be made public. The practice of marketing an organization’s name through advisories is what is not necessary. Cisco (<a href="http://www.securityfocus.com/advisories/3546">http://www.securityfocus.com/advisories/3546>) and ISS (<a href="http://www.securityfocus.com/advisories/3551">http://www.securityfocus.com/advisories/3551>) followed with advisories of their own. Cisco played it straight, and merely announced that their own software was vulnerable. The ISS X-Force jumped in on the hype, announcing that many vendors could be affected by this vulnerability and announcing a patch that protects against it. ISS even compared this new vulnerability to the IIS Unicode Directory Traversal (IUDT) vulnerability from October of 2000 (<a href="http://www.securityfocus.com/bid/1806">http://www.securityfocus.com/bid/1806>). The latter is different, however. The IUDT vulnerability actually uses UTF-8 encoding rather than the nonstandard %u Unicode encoding found in the new vulnerability. What is the difference? Well UTF-8 is a _standard_ method of encoding Unicode, albeit one that has been applied in non-standard ways by Microsoft. %u encoding was something completely invented by Microsoft. One would expect that IDS vendors might not know about a non-standard encoding method developed by a particular vendor. UTF-8, being a standard method of encoding published in the open for the world to use, should be detected or interpreted by IDS vendors. Unfortunately ISS RealSecure stands out as one of the IDS vendors that completely misses UTF-8 encoded attacks. The IDS industry was notified by my article on UTF-8 evasion in January 2001 (<a href="http://www.securityfocus.com/cgi-bin/infocus.pl?head=IDS:IDS%20Evasio">http://www.securityfocus.com/cgi-bin/infocus.pl?head=IDS:IDS%20Evasio> n&id=1232) but by then many vendors had already begun working on the issue. One would think that if ISS was seriously interested in not being evaded rather than just cashing in on some hype, that there would be a patch for UTF-8 by now. Unfortunately the X-Force team has not even acknowledged my emails to them on this issue. Admittedly, the UTF-8 encoding problem is much harder to solve than the %u encoding. It is no surprise that some vendors have yet to deal with it adequately. (How long did it take certain vendors to deal with fragmentation?). However, releasing advisories on similar evasion techniques only serves to cloud the current state of IDS and make the technology seem more mature than it is. Such illusions do not improve the state of security on the Internet. IDS Evasion Just for the record, using the example from the X-Force advisory: “The following is a standard HTML GET request without Unicode-escaped characters: GET /attack.html HTTP/1.0 The following shows the same request, using a valid, but escaped Unicode character in place of the letter k: GET /attac%u006b.html HTTP/1.0 This request uses a non-standard form of Unicode, referred to as "%u encoding". This type of encoding can be used to effectively bypass many IDS signatures for IIS-specific vulnerabilities.” The following are some, but quite possibly not all, of the variations on “attack.html” using standard UTF-8 encoding on IIS5: GET /attac%C1%8B.html HTTP/1.0 GET /attac%C4%B6.html HTTP/1.0 GET /attac%C7%A8.html HTTP/1.0 GET /attac%E2%84%AA.html HTTP/1.0 GET /attac%EF%BC%AB.html HTTP/1.0 GET /attac%C1%AB.html HTTP/1.0 GET /attac%C4%B7.html HTTP/1.0 GET /attac%C7%A9.html HTTP/1.0 GET /attac%EF%BD%8B.html HTTP/1.0 Both upper and lower case letters can be interchanged. One can use the unescaped raw binary codes as well, where {0x41} represents the byte for ‘A’: GET /attac{0xC1}{0x8B}.html HTTP/1.0 GET /attac{0xC4}{0xB6}.html HTTP/1.0 and so on. There is no simple pattern matching facility that will work for UTF-8 encoding, unlike %u encoding. Vulnerabilities Customers who fall prey to vendor hype and believe that they have bought security. The system of trust that vendors release advisories to promote full disclosure and not to further their own interests. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide! http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:54 PST