Bugtraq mailing list archives

Re: IDS's, host: headers, and .printer ISAPI overflow as an example

From: "Riley Hassell" <riley () eeye com>
Date: Mon, 11 Jun 2001 11:02:10 -0700

A malicious attacker could also bypass IDS's that do a string length check
as means to identify the .printer overflow.

(the overflow occurs in a string concatenation function, not a copy :)

For example:
--------------------------------------------------
GET /X.printer HTTP/1.1
Host: 50 bytes
Host: 50 bytes
Host: 50 bytes
Host: 50 bytes
Host: 50 bytes
Host: 50 bytes
Host: 50 bytes
Host: 50 bytes
...etc
--------------------------------------------------

An attacker can bypass almost any length check by using multiple payloads.

...and as Marc said, making shellcode to bypass any shellcode check is
possible. The only part of a payload that needs to remain executable is the
initial decoding/decrypting engine. If an attacker writes his engine in non
highbit bytes, detection becomes very hard. ALPHA/ASCII engines are really
bad news for the security industry.

So:
--------------------------------------------------
GET /X.printer HTTP/1.1
Host: ENGINE
Host: ENCRYPTED_PAYLOAD1, jmp 2
Host: ENCRYPTED_PAYLOAD2, jmp 3
Host: ENCRYPTED_PAYLOAD3, jmp 4
Host: ENCRYPTED_PAYLOAD4, jmp 5
Host: ENCRYPTED_PAYLOAD5, jmp 6
Host: ENCRYPTED_PAYLOAD6, jmp 7
Host: ENCRYPTED_PAYLOAD7, jmp 8
...etc
--------------------------------------------------

Checking for multiple host fields would be sufficient to stop this variant,
but using other HTTP variables would bypass that fix.

We could also store our payload in HEAP during a previous session. IIS ISAPI
HEAP can be reached using ASCII values. So all we need to do in the
attacking
session is send a feasible buffer with 4 ASCII bytes appended to it.

We could of course detect buffer length, unless the overflow can be
triggered due to a formatting problem or concatenation.

... :(

Possible Solution:
Reduce the window of opportunity overall, allowing what you need, stop the
rest all the way down ladder...

From the application layer to the hardware layer...


I could go on for quite some time why matching patterns in a patternless
world isn't the silver bullet security solution, but a good IDS will catch
the majority of attacks.

...kinda like stopping people with funny T-shirts coming through customs...


Riley Hassell
Vulnerability Developer
eEye Digital Security

Get up...
and light the world on fire.

Current thread:

IDS's, host: headers, and .printer ISAPI overflow as an example Marc Maiffret (Jun 10)
- <Possible follow-ups>
- Re: IDS's, host: headers, and .printer ISAPI overflow as an example Riley Hassell (Jun 11)