Re: [Full-disclosure] TippingPoint IPS Signature Evasion



This is exploitable (and tested) against IIS 5/5.1 (IIS6/7 are not
vulnerable)
However, potentially other web servers are also vulnerable if they are
capable of decoding alternate unicode characters.

I also agree with you, blaming an IPS for not detecting attack which is
impossible in the wild would be very pointless.
Although IIS 5 is old, it is still relatively common.

Any further questions, feel free to ask.


Cheers,



Paul Craig
Security Consultant
Security-Assessment.com


-----Original Message-----
From: 3APA3A [mailto:3APA3A@xxxxxxxxxxxxxxxx]
Sent: Thursday, 12 July 2007 2:30 a.m.
To: Paul Craig
Cc: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: TippingPoint IPS Signature Evasion

Dear Paul Craig,

--Wednesday, July 11, 2007, 1:37:03 AM, you wrote to
bugtraq@xxxxxxxxxxxxxxxxx:


PC> http://www.test.com/scripts%c0%afcmd.exe
PC> http://www.test.com/scripts%e0%80%afcmd.exe
PC> http://www.test.com/scripts%c1%9ccmd.exe

PC> Web servers located behind a Tippingpoint IPS device which are capable
PC> of decoding alternate Unicode characters can be accessed, and exploited
PC> without triggering the IPS device.

Can you, please, provide example of such server? Fatih Ozavci reported
similar problem with Checkpoint and Halfwidth/Fullwidth Unicode,
potential attack vector was IIS with .Net framework, in this case IIS
seems not to be exploitable.

Blaming IPS it does not detect attack which is impossible in-the-wild is
nonsense. Blaming corporate-level IPS doesn't detect attack against SOHO
web server is acceptable nonsense :)

--
~/ZARAZA http://securityvulns.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • RE: TippingPoint IPS Signature Evasion
    ... blaming an IPS for not detecting attack which is ... Although IIS 5 is old, ... Subject: TippingPoint IPS Signature Evasion ... PC> Web servers located behind a Tippingpoint IPS device which are capable ...
    (Bugtraq)
  • RE: NT/2000 vs Unix based Web Servers
    ... have to do to really harden IIS but it can be done. ... Stealth Scanner is one. ... NT/2000 vs Unix based Web Servers ... Whereas running with privilege ...
    (Security-Basics)
  • Re: ADSI to detect if New Virtual Web/FTP Servers allowed
    ... Does it mean the same on all IIS servers? ... You can create multiple websites on Windows XP Pro, ... So you cannot write code that will never fail in the future, ... > Is there some information somewhere in the metabase or other API that will> give me a clue that IIS is running on a machine that doesn't allow multiple> virtual web servers without having to just try to> create the web server and have it fail? ...
    (microsoft.public.inetserver.iis)
  • Re: Web Server Administrator
    ... I have yet to see an IIS admin job that didn't involve at least ... >> I am preparing for a interview in a company. ... >> with web servers but when it comes to facing a interview I ...
    (microsoft.public.inetserver.iis)
  • Re: Managing IP restrictions in IIS 6.0 - nightmare!
    ... IPs to delete some is a real PITA! ... IIS is not required to provide this tool since it is a platform. ... design for this task since the network bandwidth is already consumed. ...
    (microsoft.public.inetserver.iis.security)