Nine strokes breakthrough IDS-vulnerability warning-the black bar safety net

ID MYHACK58:62200922425
Type myhack58
Reporter 佚名
Modified 2009-03-06T00:00:00


Intrusion detectionsystem, The English abbreviation for the IDS, as the name implies, it is used in real time to detect attacks and report the attack. If the firewall than for guarding the network the door the doorman, then theintrusion detectionsystem IDS is proactively looking for criminals in the patrol. Thus to seek a breakthrough IDS techniques for vulnerability scanning, script injection, URL attacks, etc. has extraordinary significance, but also in order to make the IDS further tend to improve.

Snort is a lot of people are using one of the IDS, in fact it is not a panacea, the author here to talk about breakthroughs such as Snort such a network-based IDS method: a multi-state URL technology.

Filed multi-state two words, we may associate to the preparation of virus technology in the“multi-state”,“deformation”such as encryption technology, in fact I'm going to talk about the URL of the multi-state coding technique and the virus polymorphic modification technique also has the likeness of, is to use different forms to achieve the same purpose.

For the same URL, we can use a different form of encoding to represent. IDS in the real-time detection, it detects the data with its own rule set file, specified as having the attacking intent of the string comparison, if they match, then the description of the system is affected by the attack, thereby preventing the attack and sound the alarm. Because to achieve the same purpose of the URL you can use different forms to represent, so that after deformation after coding the URL might not in the IDS rule sets in the file, it will disrupt the IDS signature analysis engine, thereby achieving a breakthrough, bypassing the IDS of the effects!

Multi-state URL encoding techniques there are many kinds, the author here describes 9 kinds of commonly used and there is a certain representation of the method. For ease of explanation, here to submit the address for the/msadc/ failure has. dll URL as example.“/ msadc/msadcs.dll”have been collected into snort and other IDS's rule set file, so that when we to the target machine directly submitted to the/msadc/ failure has. the dll will be IDS to intercept and alarm.

First trick: the“/./” String insert method

Given that the“./” The special effects, we can insert it into the URL to achieve the URL of the deformation. 比如 对于 /msadc/msadcs.dll that 我们 可以 将 它 改写 为 /././msadc/././msadcs.dll and/./ msadc/.//./ failure has. dll and other forms to disrupt the IDS signature analysis engine, to achieve a spoofing IDS purposes. And after rewriting the encoded URL is not modified when the access effect is equivalent. The author once-through experiments show that this method can bypass Snort and other IDS.

Second trick:“0 0 ” the ASCII code

Some time ago moving online pass vulnerability is the use of this feature, I am sure this is very familiar. Its principle is computer processing when the string is in ASCII code for 0 0 automatically truncated. 我们 就 可以 把 /msadc/msadcs.dll 改写 为 /msadc/msadcs.dll Iloveheikefangxian, with Winhex will. dll and Ilove the spaces between the change 0 0 in ASCII code, save and then use the NC with the pipe identifier submitted. 这样 在 有些 IDS 看来 /msadc/msadcs.dll Iloveheikefangxian not with it set of rules in the file defined as having an attack the intention of the string is the same, so it will be the attacker's behavior indifferent. Voila!“ Computer processing when the string is in ASCII code for 0 0 automatically truncate”the application of the principles of how extensive it is! From a philosophical perspective, things between each other there is a link, we should think more about, digging out the inner rules, so there will be new discoveries.

Third trick: using the path separator“\”

For like Microsoft's IIS suchWeb server, The“\“can also be when the“/”as the path separator. Some of the IDS in the set rule set file and does not take into account non-standard path separators“\”are. If we take the/msadc/failure has. dll is rewritten to\msadc\ failure has. the dll can be escaped snort of discernment, because the snort rule set in the file no\msadc\ failure has. dll this identification. It is worth mentioning that the path delimiter“\”there's a wonderful used, that is, some time ago the hackers of Defense of the above-mentioned“%5c”storm the library,“%5c”is the“\”of 1 6 into the tabulation forms.

Fourth trick: hex encoding

For a character,we can escape with the symbol“%” with its hexadecimal ASCII code to represent. Like/msadc/failure has. dll first character“/”can be represented as%2F, then the character can use them corresponding to the 1 6 hexadecimal ASCII code combines with the“%”to represent, through this method after encoding the URL will no longer be the original appearance, the IDS rule sets in the file may not have encoded string, so you can bypass the IDS. But this method of using the HTTP pre-processing techniques of the IDS is invalid. The fifth trick. Illegal Unicode encoding

UTF-8 encoding allows the character set contains excess 2 5 6 characters, and therefore also allows the number of encoded bits more than 8 bits.“/” - Character hexadecimal ASCII code is 2F, by a hacker animation bar indicates the number is 0 0 1 0 1 1 1 to 1. UTF-8 format represents the 2F of the standard method is still the 2F, but you can also use multibyte UTF-8 to represent the 2F. The character“/”can be as shown in the following table using single-byte, double-byte, three-byte UTF-8 encoding to represent:

The “/”character represents the way a hacker animation bar hex A single byte 0xxxxxxx 0 0 1 0 1 1 1 1 2F Double-byte 110xxxxx 10xxxxxx 1 1 0 0 0 0 0 0 1 0 1 0 1 1 1 1 C0 AF Three-byte 1110xxxx 10xxxxxx 10xxxxxx 1 1 1 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 1 0 1 1 1 1 E0 8 0 AF

According to this method, we can for the entire string to the appropriate encoding. Although after encoding the URL of the final point of the resources are the same, but their expression is different, the IDS rule sets in the file may not exist in this filter string, thereby achieving a breakthrough in IDS purposes.

Sixth trick: the excess coding method

Extra coding also known as dual decoding. Remember 2 0 0 0-2 0 0 1 years IIS Unicode decoding vulnerabilities and the double-decode vulnerability much noise uproar, then there are many friends confusedly thought that Unicode decoding vulnerability is a double-decode vulnerability, in fact both of them are two different things, the former is the principle author has been in the“illegal Unicode encoding”. And the excess encoding refers to the character repeatedly encoded. For example, the“/”character can be used%2f represent,“%2f”,“%”and“2”,“f”characters and can be separately with its ASCII code hexadecimal to represent, according to mathematical permutations and combinations of knowledge can be seen, which is encoded in the form of a 2 of 3 Power, so the“%2f”can be rewritten as:“%2 5%3 2%6 6”、“%252f”, etc. to achieve the URL of the polymorphism, the encoded string may not be collected in the IDS rule set file, which can fool some IDS.

The seventh trick. Adding false path

In the URL add“../”string in the string after the directory is not a sense, unmade. Therefore, the use of“../”string can be achieved to disrupt the identification mark analysis engine, a breakthrough of the IDS of the effects!

Eighth trick: insert more than one slash

We can use multiple “/”instead of a single“/”is. After substitution, the URL can still be like the original work the same. 比如 对 /msadc/msadcs.dll 的 请求 可以 改为 ////msadc////msadcs.dll by the author of the once experimental, this method can bypass some IDS.

Ninth trick: integrated multi-state encoding

Clever of you to see this sub-title will know, the so-called comprehensive, is to put the above described several multi-state deformation of the encoding technique used in combination, thus the effect will be better.

PostScript: when I mentioned“0 0 ASCII code”as well as non-standard path separator“\”when everyone might feel familiar, because of this and some time ago the popular action online pass vulnerability and storm library law are closely linked. Hacking is Art hacking the emphasis is on inspiration is the idea, we through in-depth thinking, the old knowledge can also create new technology!