Bugtraq mailing list archives
Re: New Snort Bypass - Patch - Bypass of Patch
From: "M. Dodge Mumford" <dodge () nfr net>
Date: Fri, 2 Jun 2006 19:16:38 -0400
Sigint Consulting said:
However we can once again bypass this by including our CR character before our string like so: perl -e 'print "GET \x0d/index.php\x90\x90 HTTP/1.0\n\r\n"'|nc 192.168.1.3 80 No alert is generated from the string above.
[...]
We are not sure how much this may buy an attacker as the CR character may mess up any requests to the webserver, further research is needed on this.
I performed this research while developing NFR's web signatures, and found that all web servers I tested (several years ago) handled end-of-lines using "\x0d\x0a" and "\x0a" interchangeably. If you find a web server that interprets "index.php" in the example above as an actual filename, I for one would be very interested in knowing about it. -- Dodge
Attachment:
_bin
Description:
Current thread:
- New Snort Bypass - Patch - Bypass of Patch Sigint Consulting (Jun 02)
- Re: New Snort Bypass - Patch - Bypass of Patch M. Dodge Mumford (Jun 02)
- Re: New Snort Bypass - Patch - Bypass of Patch M. Dodge Mumford (Jun 04)
- Re: New Snort Bypass - Patch - Bypass of Patch Pukhraj Singh (Jun 05)
- Re: New Snort Bypass - Patch - Bypass of Patch M. Dodge Mumford (Jun 04)
- Re: New Snort Bypass - Patch - Bypass of Patch M. Dodge Mumford (Jun 02)