Penetration Testing mailing list archives

Re: New article on SecurityFocus

From: Alexander Sotirov <asotirov () determina com>
Date: Fri, 06 Jan 2006 22:05:58 -0800

H D Moore wrote:

On Wednesday 04 January 2006 19:49, Erin Carroll wrote:

Out of curiousity has anyone done any testing against
the new signatures to determine if they are code specific or if tricks
like tagging %0%0 in the payload bypasses them?



All of the current IDS/AV signatures are based on the following pattern:

(All values below are in hex)

---
[ any number of bytes ] 
(01 or 02) + 00 + 09 + 00 
[ any number of bytes ]
26 + 09 + 00


Some AV products might be using this basic signature, but they probably have a
second layer of more complicated checks to avoid false positives. Otherwise
they'll trigger on any WMF file that includes 26 09 00 in some random record.
F-Secure parses the metafile and traverses all records the same way
GDI32!PlayMetaFileRecord does, looking for the META_ESCAPE record. If you can
break their parser and avoid detection, the Windows function will most likely
break too and fail to play your file. It's a pretty solid technique, but of
course, the more complicated your parser gets, the greater the chance of having
a bug in it. They were lucky that WMF is easy to parse.

The IDS systems were the ones that were really screwed. It is much harder to
reassemble TCP, decrypt SSL and parse WMF files on a gigabit link :-)

Alex

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

New article on SecurityFocus Erin Carroll (Jan 04)
- Re: New article on SecurityFocus H D Moore (Jan 04)
  - Re: New article on SecurityFocus Alexander Sotirov (Jan 07)
- Re: New article on SecurityFocus Thor (Hammer of God) (Jan 05)
- <Possible follow-ups>
- RE: New article on SecurityFocus Phillips Williams (Jan 05)
  - RE: New article on SecurityFocus (.WMF Vuln) Corey Watts-Jones (Jan 06)
  - Re: New article on SecurityFocus Thor (Hammer of God) (Jan 07)
- RE: New article on SecurityFocus Navroz Shariff (Jan 06)
- RE: New article on SecurityFocus Brady McClenon (Jan 06)
  - RE: New article on SecurityFocus Larry Seltzer (Jan 06)
    - RE: New article on SecurityFocus Erin Carroll (Jan 06)
  - Re: New article on SecurityFocus Socrates (Jan 07)
  - RE: New article on SecurityFocus Murad Talukdar (Jan 09)

(Thread continues...)