[Snort-devel] Snort Uricontent Bypass Vulnerability

Drew Burchett DrewB at ...2878...
Mon Jun 12 11:46:50 EDT 2006


Must have been something on my end during the download.  I redownloaded
and recompiled and it shows up correctly now.

 

Drew Burchett

United Systems & Software

http://www.united-systems.com

Phone:  (270)527-3293

Fax:     (270)527-3132

 

  _____  

From: snort-devel-admin at lists.sourceforge.net
[mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of Joel
Ebrahimi
Sent: Wednesday, May 31, 2006 10:51 AM
To: snort-users at lists.sourceforge.net;
snort-devel at lists.sourceforge.net; bleeding-sigs at ...2834...;
bleeding at ...2834...
Subject: [Snort-devel] Snort Uricontent Bypass Vulnerability

 

A large scale Snort evasion has been discovered by Blake Hartstein, a
member of the Demarc Threat Research Team.

 

The evasion technique allows an attack to bypass detection of
"uricontent" rules by adding a carriage return to the end of a URL,
directly before the HTTP protocol declaration.

 

This affects thousands of rules in the standard Snort base rule sets.

 

Due to the seriousness of this vulnerability, we have developed a
working patch for public review. See below.

 

This patch addresses the carriage return bug and should catch the known
evasion attempts but further research needs to be done to determine if
there are any other possible impacts of this bug. The detection for
evasion is turned on by default under all profiles but can also be used
as a server configuration option:

 

-----HTTP Inspect Server Configuration-----

 

non_std_cr <yes|no>

 

This option generates an alert when a non standard carriage return
character is detected in the URI.  

 

-----end-----

 


More information including a pre-patched tarball, a simple proof of
concept, and a copy of this patch can be found at 
http://www.demarc.com/support/downloads/patch_20060531
<http://www.demarc.com/support/downloads/patch_20060531> 

 

With the release of this information we have also released a fix to all
our Sentarus customers. If your auto-updates are turned on, then a patch
and all related updates have already been applied, or you can go into
your Sentarus management console and request an immediate update.

 

 

// Joel 

 

 Joel Ebrahimi

 Demarc Security, Inc.
 jebrahimi at ...2857... <BLOCKED::mailto:jebrahimi at ...2857...> 
 http://www.demarc.com/ <BLOCKED::http://www.demarc.com/> 
 

 


-----Patch for Snort-2.4.4--

 

diff -Nuar snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c
snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c
--- snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c
2005-03-16 13:52:18.000000000 -0800
+++ snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c
2006-05-30 22:54:44.000000000 -0700
@@ -40,6 +40,7 @@
 
 #define URI_END  1
 #define NO_URI  -1
+#define CR_IN_URI 18 
 #define INVALID_HEX_VAL -1
 
 /**
@@ -455,6 +456,11 @@
         return URI_END;
     }
 
+ if(isspace(**ptr) )
+ {
+  return CR_IN_URI;
+ }
+
     return NO_URI;
 }
 
@@ -1345,8 +1351,21 @@
                     */
                     break;
                 }
+  else if(iRet == CR_IN_URI)
+  {
+
if(hi_eo_generate_event(Session,ServerConf->non_std_cr.alert))
+          {
+
hi_eo_client_event_log(Session,ServerConf->non_std_cr.alert,
+                                   NULL, NULL);
+   }
+   break;
+  }
+
+
+
                 else /* NO_URI */
                 {
+
                     /*
                     **  Check for chunk encoding, because the delimiter
can
                     **  also be a space, which would look like a
pipeline request
diff -Nuar
snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.
c
--- snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
2004-03-11 14:25:53.000000000 -0800
+++
snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.
c 2006-05-30 10:27:49.000000000 -0700
@@ -64,7 +64,9 @@
     {HI_EO_CLIENT_PROXY_USE, HI_EO_LOW_PRIORITY,
         HI_EO_CLIENT_PROXY_USE_STR },
     {HI_EO_CLIENT_WEBROOT_DIR, HI_EO_HIGH_PRIORITY,
-        HI_EO_CLIENT_WEBROOT_DIR_STR }
+        HI_EO_CLIENT_WEBROOT_DIR_STR },
+    { HI_EO_CLIENT_CR_IN_URI, HI_EO_MED_PRIORITY,
+        HI_EO_CLIENT_CR_IN_URI_STR },
 };
 
 static HI_EVENT_INFO
anom_server_event_info[HI_EO_ANOM_SERVER_EVENT_NUM] = {
diff -Nuar
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h
--- snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h
2004-03-11 14:25:53.000000000 -0800
+++
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h
2006-05-25 13:01:08.000000000 -0700
@@ -24,13 +24,14 @@
 #define HI_EO_CLIENT_LARGE_CHUNK    15  /* done */
 #define HI_EO_CLIENT_PROXY_USE      16  /* done */
 #define HI_EO_CLIENT_WEBROOT_DIR    17  /* done */
+#define HI_EO_CLIENT_CR_IN_URI      18  /* done */
 
 /*
 **  IMPORTANT:
 **  Every time you add a client event, this number must be
 **  incremented.
 */
-#define HI_EO_CLIENT_EVENT_NUM      18
+#define HI_EO_CLIENT_EVENT_NUM      19
 
 /*
 **  These defines are the alert names for each event
@@ -71,6 +72,8 @@
     "(http_inspect) UNAUTHORIZED PROXY USE DETECTED"
 #define HI_EO_CLIENT_WEBROOT_DIR_STR                    \
     "(http_inspect) WEBROOT DIRECTORY TRAVERSAL"
+#define HI_EO_CLIENT_CR_IN_URI_STR                       \
+    "(http_inspect) NON-STD CARRIAGE RETURN IN URI"
 
 /*
 **  Anomalous Server Events
diff -Nuar
snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h
--- snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h
2005-03-16 13:52:18.000000000 -0800
+++
snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h
2006-05-30 09:44:18.000000000 -0700
@@ -113,6 +113,7 @@
     HTTPINSPECT_CONF_OPT webroot;
     HTTPINSPECT_CONF_OPT apache_whitespace;
     HTTPINSPECT_CONF_OPT iis_delimiter;
+    HTTPINSPECT_CONF_OPT non_std_cr;
     
 }  HTTPINSPECT_CONF;
 
diff -Nuar
snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_co
nfig.c
---
snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
2005-03-16 13:52:19.000000000 -0800
+++
snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_co
nfig.c 2006-05-30 23:00:25.000000000 -0700
@@ -117,6 +117,9 @@
 
     GlobalConf->global_server.non_strict = 1;
 
+    GlobalConf->global_server.non_std_cr.on = 1;
+    GlobalConf->global_server.non_std_cr.alert = 1;
+
     return HI_SUCCESS;
 }
 
@@ -209,6 +212,9 @@
 
     ServerConf->tab_uri_delimiter = 1;
 
+    ServerConf->non_std_cr.on = 1;
+    ServerConf->non_std_cr.alert = 1;
+
     return HI_SUCCESS;
 }
     
@@ -279,6 +285,9 @@
 
     ServerConf->non_strict = 1;
 
+    ServerConf->non_std_cr.on = 1;
+    ServerConf->non_std_cr.alert = 1;
+
     return HI_SUCCESS;
 }
 
@@ -349,6 +358,9 @@
 
     ServerConf->tab_uri_delimiter = 1;
 
+    ServerConf->non_std_cr.on = 1;
+    ServerConf->non_std_cr.alert = 1;
+
     return HI_SUCCESS;
 }
 
diff -Nuar snort-2.4.4/src/preprocessors/snort_httpinspect.c
snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c
--- snort-2.4.4/src/preprocessors/snort_httpinspect.c 2005-08-23
08:52:19.000000000 -0700
+++ snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c 2006-05-30
10:33:54.000000000 -0700
@@ -134,6 +134,7 @@
 #define GLOBAL_ALERT      "no_alerts"
 #define WEBROOT           "webroot"
 #define TAB_URI_DELIMITER "tab_uri_delimiter"
+#define NON_STD_CR    "non_std_cr"
 
 /*
 **  Alert subkeywords
@@ -1449,6 +1450,15 @@
                 return iRet;
             }
         }
+        else if(!strcmp(NON_STD_CR, pcToken))
+        {
+            ConfOpt = &ServerConf->non_std_cr;
+            if((iRet = ProcessConfOpt(ConfOpt, NON_STD_CR,
+                                      ErrorString, ErrStrLen)))
+            {
+                return iRet;
+            }
+        }
         else if(!strcmp(IIS_BACKSLASH, pcToken))
         {
             ConfOpt = &ServerConf->iis_backslash;
@@ -1583,6 +1593,7 @@
     PrintConfOpt(&ServerConf->webroot, "Web Root Traversal");
     PrintConfOpt(&ServerConf->apache_whitespace, "Apache WhiteSpace");
     PrintConfOpt(&ServerConf->iis_delimiter, "IIS Delimiter");
+    PrintConfOpt(&ServerConf->non_std_cr, "Non-Std Carriage Return");
 
     if(ServerConf->iis_unicode_map_filename)
     {

 


-----end-----


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.0/352 - Release Date: 5/30/2006



--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

-- 
This message has been scanned for viruses and dangerous content by MailScanner and is believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060612/beab00cf/attachment.html>


More information about the Snort-devel mailing list