[Snort-sigs] Bug report - Telnet negotiation based FTP signature evasion

Steven Sturges steve.sturges at ...435...
Fri May 26 11:38:01 EDT 2006


Missing from the code snippet is the context:

     /* if the following byte isn't a subnegotiation initialization */
     if(((read_ptr + 1) < end) &&
         (*read_ptr == (char) TNC_IAC) &&
         (*(read_ptr + 1) != (char) TNC_SB))
     {
        /* snippet */
     }
     else if(((read_ptr + 1) < end) &&
                 (*read_ptr == (char) TNC_IAC) &&
                 (*(read_ptr+1) == (char) TNC_SB))
     {
        /* move past the end of the subnegotiation */
        ....
     }

Per the Telnet RFC, the Telnet IAC SB must be closed
by a corresponding IAC SE (subnegotiation end) -- FF FA.

Based on that, the data sent over the FTP command channel,
CWD ~\255\250{\r\n

is translated as CWD ~ (Subnegotiation Begin) and the {\r\n
will be interpreted as option data.  Thus it is NOT part
of the data stream delivered to the FTP server.

The data between (and including) the IAC SB and IAC SE are
normalized out so that the rule will match.

If a particular FTP server does not properly handle the
IAC SB and simply ignores those two bytes, you can write a
rule that uses rawbytes to address that.

Cheers.
-steve

----- Original Message -----
From: "pratap" <pratap at ...3230...>
To: <snort-sigs at lists.sourceforge.net>
Sent: Tuesday, May 16, 2006 2:58 PM
Subject: [Snort-sigs] Bug report - Telnet negotiation based FTP 
signature evasion


 > Bug Report: Snort 2.4.4
 >
 > Problem
 > =======
 > We observed the evasion of a Snort signature in the ftp protocol using
 > Telnet Subnegotiation based ASCII transformation on the attack vector.
 > This evasion technique works only for FTP servers that support Telnet
 > negotiation. Signatures like "FTP wu-ftp bad file completion attempt {"
 > (SID: 1378 rev: 15)require the keywords like "~{" in the malicious ftp
 > query for successful detection.
 >
 > We attribute the bug to the implementation incompatibility of the
 > Telnet Negotiation protocol in Snort and WU-ftpd.
 >
 > Configuration:
 > ==============
 >     +---+                 +---+
 >     + A +<-------+------->+ V +
 >     +---+        |        +---+
 >                  |
 >              +-------+
 >              + snort +
 >              +-------+
 > A - Attacker machine
 > V - victim machine.
 >
 > Illustration of the bug
 > =========================
 >
 > We use signature Snort sid: 1378 ("FTP wu-ftp bad file completion
 > attempt { ") to illustrate the problem.
 >
 > Details of the signature:
 > $Id: ftp.rules,v 1.57.2.7.2.6 2005/07/22 19:19:54
 >
 > Signature:
 > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad file
 > completion attempt {"; flow:to_server,established; content:"~";
 > content:"{"; distance:0; reference:bugtraq,3581; reference:bugtraq,3707;
 > reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack;
 > sid:1378; rev:15;)
 >
 > The steps needed to see effect of the bug are:
 > 1. Establish a FTP connection between A and V (to victim ftp port).
 > 2. Send CWD command with telnet command in between: "CWD ~\255\250{\r\n"
 >    (Here \255 is the IAC (Interpret As Command) or telnet escape
 >    character and \250 is the SB character)
 >
 > Alert is not produced here. Alert is produced if and only if the
 > telnet command is removed between "~{". The ftp query is visible
 > only after correct normalization of the "Telnet negotiation
 > escape characters". In this example we obscured the pattern
 > "{" in attack packet using "Telnet Subnegotiation Begin" (SB) character.
 >
 > This illustration was shown only on the "~{" pattern but can be used
 > anywhere in the packet and any keyword to evade any signature.
 >
 > Code snippet:
 > The related code segment in
 > snort-2.4.4/src/preprocessors/spp_telnet_negotiation.c
 >
 >
 >       switch(* ((unsigned char *)(read_ptr + 1)))
 >              {
 >              case TNC_NOP:
 >                  read_ptr += 2;
 >                  break;
 >              case TNC_EAC:
 >                  read_ptr += 2;
 >                  /* wind it back a character */
 >                  if(write_ptr  > start)
 >                  {
 >                      write_ptr--;
 >                  }
 >                  break;
 >              case TNC_EAL:
 >                  /* todo: wind write_ptr back a line? */
 >                  read_ptr += 2;
 >                  break;
 >              case TNC_SE:
 >                  /* Uh, what the heck is a Subnegotiation-end
 >                   * doing here without a SB?.
 >                   * could generate an alert, or just normalize
 >                   * it out.
 >                   */
 >                  read_ptr += 2;
 >                  break;
 >              /* These are two bytes long */
 >              case TNC_BRK:
 >              case TNC_DM:
 >              case TNC_IP:
 >              case TNC_AO:
 >              case TNC_AYT:
 >              case TNC_GA:
 >                  read_ptr += 2;
 >                  break;
 >              /* IAC IAC -- means the IAC character (0xff) should be
 >               * in the data stream since it was escaped */
 >              case TNC_IAC:
 >                  read_ptr++; /* skip past the first IAC */
 >                  *write_ptr++ = *read_ptr++;
 >                  break;
 >              default: /* WILL, WON'T, DO, DON'T */
 >                  /* move the read ptr up 3 bytes */
 >                  read_ptr += TNC_STD_LENGTH;
 >              }
 >
 > Versions
 > ===========
 > IDS: Snort 2.4.4
 > Attacker:  Linux version 2.6.11-1.1369_FC4smp
 > Victim:  Linux version 2.4.20-8
 > FTP server: WU-ftpd 2.6.1
 >
 >
 >
 >
 > ---------------------------------
 > Pratap Ramamurthy
 > Graduate Student
 > Computer Sciences
 > University of Wisconsin - Madison
 > ---------------------------------
 >





More information about the Snort-sigs mailing list