OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Unicode and IDS evasion
From: Robert Graham (robert_david_grahamYAHOO.COM)
Date: Tue Oct 31 2000 - 09:16:46 CST

-----Original Message-----
>From: Eric Hacker
>Wow, a UTF8 parser in a couple of hours?

It looks like fast response, but there actually is a bunch of hidden things
going on in the background. Developement started when Bruce Schneier made
his original posting about UTF8 issues many months ago; you only see the
code pop out when it becomes important. The recent patch is only for HTTP,
but we've been hooking in Unicode for a number of different protocol parsers
for awhile.

>>http://networkice.com/something/%C0%AF%C0%AF/default.htm
>First, I thought %C0%AF was a ‘/’ and %C0%AE was the ‘.’...

Nope. I got it crossed. Sorry.

>Lacking a clear table indicating how IIS interprets UTF8, I did some
>testing. I ran through some potential UTF8 codes on my unpatched W2K IIS
>test server. I examined the logs to determine what IIS thought the URL was.
>I found thirteen representations for the letter ‘a’. I tested all of these
>and successfully retrieved a URL (http://myserver/a.txt) encoded with them.

I can only find twelve. I recommend that you grab a copy of "Defender" (the
cheap non-managed, host-based version), install the patch, then publish
which ones you can use to successfully evade the system. The Network ICE
patch includes not only specifically looking for this new exploit, but
attempts to handle all the Unicode evasion issues. We probably haven't
caught all the permutations yet (which is why IDS is an ongoing process).

>Do you want a code page with that?
>I’m no IIS or W2K wizard, but from what I can tell, it seems that when W2K
>is set up for different languages, then the interpretation of UTF8
>characters will be different.

My belief is that UTF8 is independent from "code pages". In the old days,
you had "code pages" where different languages used the 8-bit bytes to
represent different characters. Unicode was developed to create a common
code-page for 16-bit characters. UTF8 is simply a multi-byte representation
of the full Unicode character set. That means for each UTF8 sequence, there
is only one interpretation, regardless of nationality.

>Is it pattern matching or is it protocol analysis?
>"It all boils down to pattern matching in the end."

Here is Network ICE's perspective (the full version, not the watered down
version you likely saw in the whitepaper):

We see an important difference between "pattern matching" and what we call
"name matching". Let's use the example of "phf". I think it is very
different whether you are looking for the pattern "phf" on port 80 vs.
looking for a CGI script named "phf". In other words, you could pepper the
three letters "phf" throughout a HTTP request and never see Network ICE
trigger, because they aren't referring to a CGI script. Yet you could
reference the "phf" script on any port, and Network ICE still triggers.
Certainly, "name matching" is related to "pattern matching", but we think
the difference is very important.

In any event, Network ICE does lots of things that aren't remotely close to
pattern matching. For example, consider the older rpc.statd overflow that
compromised Sun Solaris boxes throughout the Internet in early 1999. Network
ICE doesn't detect any of the exploit signatures patterns as the other IDSs
do; instead, it analysizes the rpc.statd protocol and triggers on long
filenames. The "pattern" that it triggers on is the number of characters,
not any content within the filename.

We started to see a rise in this signature being detected earlier this year.
It wasn't due to the Solaris buffer-overflow, but a new format-string
exploit in the RedHat version of rpc.statd. We were able to detect these
protocol anomalies long before the specific vulnerability was known.
http://www.networkice.com/advice/intrusions/2001702/

>Eric Hacker, GCIA, MCSE, CCSE
>Lucent NPS, Security Practice

Robert Graham
CTO/Network ICE

_________________________________________________________
Do You Yahoo!?
Get your free yahoo.com address at http://mail.yahoo.com