NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-IDS> 2003-q3

[ANN]: N.A.D.S. Normalized Attack Detection System

From: Gianni Tedesco (gianniscaramanga.co.uk)
Date: Fri Jul 11 2003 - 10:52:34 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

Announcing nads-0.1, this is a little bit of concept code which I hope
to grow over the next few months which normalizes HTTP URLs. It is
implemented as a library (DSO) written in C and should be fairly
portable (even for non-gcc compilers). It is free software released
under the terms of the GNU GPL. You can download it at:

http://www.scaramanga.co.uk/nads/nads-0.1.tar.gz

It currently normalizes the following evasion techniques:
o Strips out query string
o Hex encoding (including double hex encoding)
o MS UTF-16 (%uNNNN)
o Overlong UTF-8 encodings
o Double slashes
o Backslashes
o Case normalization
o . and .. normalized out (eg /./foo/../bar/ becomes /bar/)

Some of these things are specific to webservers, so there is an API to
select which webserver to emulate. It's pretty flexible.

Here is an example. The URL starts like this (unicode exploit caught in
the wild):

/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe

Then it gets hex decoded:

/msadc/..%5c../..%5c../..%5c/..Á^\../..Á^\../..Á^\../winnt/system32/cmd.exe

Then it gets hex decoded again (the emulation type is set to IIS).

/msadc/..\../..\../..\/..Á^\../..Á^\../..Á^\../winnt/system32/cmd.exe

Then overlong UTF-8 encodings are removed:

/msadc/..\../..\../..\/..\../..\../..\../winnt/system32/cmd.exe

Then the path components are normalized:

/msadc/../../../../../../../../../../../winnt/system32/cmd.exe

Then the code throws up an error, due to accessing files outside the
webroot.

The plans are to also add a squid ACL helper with fast signature
matching support to provide a free web application layer firewall / IPS.

Enjoy! :)

--
// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQA/Dt1BkbV2aYZGvn0RAohjAJ4jJUGMLcAPwxk1m9E0YIQiO6anhQCfdzwK
i2Y9e2Ym/aj0HPKavy9Tlro=
=giG/
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]