[Snort-devel] Possible Evasion in http_inspect

Joel Ebrahimi jebrahimi at ...2857...
Thu Jun 1 09:13:03 EDT 2006


It doesnt appear that the email I sent out prior to this to both the devel this and users list ever made it through entirely( I see it on the marc mirror but I never got it sent to me and it never seem to have made it to users).
Since the bypass is trivial to implement I would hope that this patch could get reviewed by the devel/user community asap.
Reposting yesterdays message below.
----------------------------------------------------------

A large scale Snort evasion has been discovered by Blake Hartstein, a member of the Demarc Threat Research Team.
 
The evasion technique allows an attack to bypass detection of "uricontent" rules by adding a carriage return to the end of a URL, directly before the HTTP protocol declaration.
 
This affects thousands of rules in the standard Snort base rule sets.
 
Due to the seriousness of this vulnerability, we have developed a working patch for public review. See below.
 
This patch addresses the carriage return bug and should catch the known evasion attempts but further research needs to be done to determine if there are any other possible impacts of this bug. The detection for evasion is turned on by default under all profiles but can also be used as a server configuration option:
 
-----HTTP Inspect Server Configuration-----
 
non_std_cr <yes|no>
 
This option generates an alert when a non standard carriage return character is detected in the URI.  
 
-----end-----
 

More information including a pre-patched tarball, a simple proof of concept, and a copy of this patch can be found at 
http://www.demarc.com/support/downloads/patch_20060531
 
With the release of this information we have also released a fix to all our Sentarus customers. If your auto-updates are turned on, then a patch and all related updates have already been applied, or you can go into your Sentarus management console and request an immediate update.
 
 
// Joel 
 
 Joel Ebrahimi
 Demarc Security, Inc.
 jebrahimi at ...2857...
 http://www.demarc.com/
 
 

-----Patch for Snort-2.4.4--
 
diff -Nuar snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c
--- snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c 2005-03-16 13:52:18.000000000 -0800
+++ snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c 2006-05-30 22:54:44.000000000 -0700
@@ -40,6 +40,7 @@
 
 #define URI_END  1
 #define NO_URI  -1
+#define CR_IN_URI 18 
 #define INVALID_HEX_VAL -1
 
 /**
@@ -455,6 +456,11 @@
         return URI_END;
     }
 
+ if(isspace(**ptr) )
+ {
+  return CR_IN_URI;
+ }
+
     return NO_URI;
 }
 
@@ -1345,8 +1351,21 @@
                     */
                     break;
                 }
+  else if(iRet == CR_IN_URI)
+  {
+          if(hi_eo_generate_event(Session,ServerConf->non_std_cr.alert))
+          {
+               hi_eo_client_event_log(Session,ServerConf->non_std_cr.alert,
+                                   NULL, NULL);
+   }
+   break;
+  }
+
+
+
                 else /* NO_URI */
                 {
+
                     /*
                     **  Check for chunk encoding, because the delimiter can
                     **  also be a space, which would look like a pipeline request
diff -Nuar snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
--- snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c 2004-03-11 14:25:53.000000000 -0800
+++ snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c 2006-05-30 10:27:49.000000000 -0700
@@ -64,7 +64,9 @@
     {HI_EO_CLIENT_PROXY_USE, HI_EO_LOW_PRIORITY,
         HI_EO_CLIENT_PROXY_USE_STR },
     {HI_EO_CLIENT_WEBROOT_DIR, HI_EO_HIGH_PRIORITY,
-        HI_EO_CLIENT_WEBROOT_DIR_STR }
+        HI_EO_CLIENT_WEBROOT_DIR_STR },
+    { HI_EO_CLIENT_CR_IN_URI, HI_EO_MED_PRIORITY,
+        HI_EO_CLIENT_CR_IN_URI_STR },
 };
 
 static HI_EVENT_INFO anom_server_event_info[HI_EO_ANOM_SERVER_EVENT_NUM] = {
diff -Nuar snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h
--- snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h 2004-03-11 14:25:53.000000000 -0800
+++ snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h 2006-05-25 13:01:08.000000000 -0700
@@ -24,13 +24,14 @@
 #define HI_EO_CLIENT_LARGE_CHUNK    15  /* done */
 #define HI_EO_CLIENT_PROXY_USE      16  /* done */
 #define HI_EO_CLIENT_WEBROOT_DIR    17  /* done */
+#define HI_EO_CLIENT_CR_IN_URI      18  /* done */
 
 /*
 **  IMPORTANT:
 **  Every time you add a client event, this number must be
 **  incremented.
 */
-#define HI_EO_CLIENT_EVENT_NUM      18
+#define HI_EO_CLIENT_EVENT_NUM      19
 
 /*
 **  These defines are the alert names for each event
@@ -71,6 +72,8 @@
     "(http_inspect) UNAUTHORIZED PROXY USE DETECTED"
 #define HI_EO_CLIENT_WEBROOT_DIR_STR                    \
     "(http_inspect) WEBROOT DIRECTORY TRAVERSAL"
+#define HI_EO_CLIENT_CR_IN_URI_STR                       \
+    "(http_inspect) NON-STD CARRIAGE RETURN IN URI"
 
 /*
 **  Anomalous Server Events
diff -Nuar snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h
--- snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h 2005-03-16 13:52:18.000000000 -0800
+++ snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h 2006-05-30 09:44:18.000000000 -0700
@@ -113,6 +113,7 @@
     HTTPINSPECT_CONF_OPT webroot;
     HTTPINSPECT_CONF_OPT apache_whitespace;
     HTTPINSPECT_CONF_OPT iis_delimiter;
+    HTTPINSPECT_CONF_OPT non_std_cr;
     
 }  HTTPINSPECT_CONF;
 
diff -Nuar snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
--- snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c 2005-03-16 13:52:19.000000000 -0800
+++ snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c 2006-05-30 23:00:25.000000000 -0700
@@ -117,6 +117,9 @@
 
     GlobalConf->global_server.non_strict = 1;
 
+    GlobalConf->global_server.non_std_cr.on = 1;
+    GlobalConf->global_server.non_std_cr.alert = 1;
+
     return HI_SUCCESS;
 }
 
@@ -209,6 +212,9 @@
 
     ServerConf->tab_uri_delimiter = 1;
 
+    ServerConf->non_std_cr.on = 1;
+    ServerConf->non_std_cr.alert = 1;
+
     return HI_SUCCESS;
 }
     
@@ -279,6 +285,9 @@
 
     ServerConf->non_strict = 1;
 
+    ServerConf->non_std_cr.on = 1;
+    ServerConf->non_std_cr.alert = 1;
+
     return HI_SUCCESS;
 }
 
@@ -349,6 +358,9 @@
 
     ServerConf->tab_uri_delimiter = 1;
 
+    ServerConf->non_std_cr.on = 1;
+    ServerConf->non_std_cr.alert = 1;
+
     return HI_SUCCESS;
 }
 
diff -Nuar snort-2.4.4/src/preprocessors/snort_httpinspect.c snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c
--- snort-2.4.4/src/preprocessors/snort_httpinspect.c 2005-08-23 08:52:19.000000000 -0700
+++ snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c 2006-05-30 10:33:54.000000000 -0700
@@ -134,6 +134,7 @@
 #define GLOBAL_ALERT      "no_alerts"
 #define WEBROOT           "webroot"
 #define TAB_URI_DELIMITER "tab_uri_delimiter"
+#define NON_STD_CR    "non_std_cr"
 
 /*
 **  Alert subkeywords
@@ -1449,6 +1450,15 @@
                 return iRet;
             }
         }
+        else if(!strcmp(NON_STD_CR, pcToken))
+        {
+            ConfOpt = &ServerConf->non_std_cr;
+            if((iRet = ProcessConfOpt(ConfOpt, NON_STD_CR,
+                                      ErrorString, ErrStrLen)))
+            {
+                return iRet;
+            }
+        }
         else if(!strcmp(IIS_BACKSLASH, pcToken))
         {
             ConfOpt = &ServerConf->iis_backslash;
@@ -1583,6 +1593,7 @@
     PrintConfOpt(&ServerConf->webroot, "Web Root Traversal");
     PrintConfOpt(&ServerConf->apache_whitespace, "Apache WhiteSpace");
     PrintConfOpt(&ServerConf->iis_delimiter, "IIS Delimiter");
+    PrintConfOpt(&ServerConf->non_std_cr, "Non-Std Carriage Return");
 
     if(ServerConf->iis_unicode_map_filename)
     {
 

-----end-----

 

> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net 
> [mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of 
> Jennifer Steffens
> Sent: Wednesday, May 31, 2006 3:28 PM
> To: snort-devel at lists.sourceforge.net
> Subject: [Snort-devel] Possible Evasion in http_inspect
> 
> Sourcefire is aware of a possible Snort evasion that exists 
> in the http_inspect preprocessor.  This evasion case only 
> applies to protected Apache web servers. We have prepared 
> fixes for both the 2.4 and 2.6 branches and will have fully 
> tested releases, including binaries, available for both on 
> Monday, June 5th.
> 
> 
> Evasion Details:
> 
> The Apache web server supports special characters in HTTP 
> requests that do not affect the processing of the particular 
> request.  The current target-based profiles for Apache in the 
> http_inspect preprocessor do not properly handle these 
> requests, resulting in the possibility that an attacker can 
> bypass detection of rules that use the "uricontent" keyword 
> by embedding special characters in a HTTP request.
> 
> 
> Background Information:
> 
> It is important to note that this is an evasion and not a 
> vulnerability.
> This means that while it is possible for an attacker to 
> bypass detection, Snort sensors and the networks they protect 
> are not at a heightened risk of other attacks.
> 
> 
> Timeline:
> 
> Sourcefire has prepared fixes and is currently finalizing a 
> complete round of testing to ensure that the fixes not only 
> solve the issue at hand but do not create new bugs as well. 
> The following releases, including binaries for Linux and 
> Windows deployments, will be available on Monday, June 5th:
> 
> * Snort v2.4.5
> * Snort v2.6.0 final
> 
> 
> Questions:
> 
> Any questions regarding these releases can be sent to 
> snort-team at ...2780...
> 
> Thanks,
> Jennifer
> 
> 
> --
> Jennifer S. Steffens
> Director, Product Management - Snort
> Sourcefire - Security for the Real World
> W: 410.423.1930 | C: 202.409.7707
> www.sourcefire.com | www.snort.org
> 
> 
> 
> 
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost 
> and Risk!
> Fully trained technicians. The highest number of Red Hat 
> certifications in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&
> dat=121642
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.394 / Virus Database: 268.8.0/352 - Release 
> Date: 5/30/2006
>  
> 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.0/353 - Release Date: 5/31/2006
 




More information about the Snort-devel mailing list