|
List Info
Thread: Rule Submit: Poison Null Byte
|
|
| Rule Submit: Poison Null Byte |
|
2006-09-12 23:04:38 |
Hi,
This rule detects several known issues in web scripts which
allows an
attacker to bypass filters and potentially execute arbitrary
code.
Additionally, apache will remove null bytes, which could
also indicate
an attack, which would not be detected otherwise.
These attacks could potentially affect any language, and
thus I have not
anchored them to any particular one.
I highly recommend enabling this rule on your network.
Please report any
false positives you see.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE WEB-MISC Poison Null Byte";
flow:established,to_server; uricontent:"|00|";
reference:cve,2006-4542;
reference:cve,2006-4458; reference:cve,2006-3602;
reference:url,www.security-assessment.com/Whitepapers/0x00_v
s_ASP_File_Uploads.pdf;
classtype:web-application-activity; sid:2003???; rev:1; )
-Blake
--
This email and any files transmitted with it are solely
intended for the use of the addressee(s) and may contain
information that is confidential and privileged. If you
receive this email in error, please advise us by return
email immediately. Please also disregard the contents of the
email, delete it and destroy any copies immediately. Demarc
Security, Inc. does not accept liability for the views
expressed in the email or for the consequences of any
computer viruses that may be transmitted with this email.
This email is also subject to copyright. No part of it
should be reproduced, adapted or transmitted without the
written consent of the copyright owner.
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs bleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|
|
| Rule Submit: Poison Null Byte |
|
2006-09-13 03:22:35 |
Interesting... Think we can put a depth in or something?
What if we're
sending a file via http? Surely we'll get falses there.
Does the http preprocessor strip null bytes?
matt
Blake Hartstein wrote:
> Hi,
> This rule detects several known issues in web scripts
which allows an
> attacker to bypass filters and potentially execute
arbitrary code.
> Additionally, apache will remove null bytes, which
could also indicate
> an attack, which would not be detected otherwise.
>
> These attacks could potentially affect any language,
and thus I have not
> anchored them to any particular one.
>
> I highly recommend enabling this rule on your network.
Please report any
> false positives you see.
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS
> (msg:"BLEEDING-EDGE WEB-MISC Poison Null
Byte";
> flow:established,to_server;
uricontent:"|00|"; reference:cve,2006-4542;
> reference:cve,2006-4458; reference:cve,2006-3602;
>
reference:url,www.security-assessment.com/Whitepapers/0x00_v
s_ASP_File_Uploads.pdf;
> classtype:web-application-activity; sid:2003???; rev:1;
)
>
> -Blake
>
--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort
.com
--------------------------------------------
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|
|
| Rule Submit: Poison Null Byte |
|
2006-09-13 17:32:59 |
http_inspect does not strip null bytes, it does however
allow you to
alert on the null byte in the url, using the non_rfc_char
{...}
configuration option.
Sending files by http should not likely be using the uri to
send the
file, but there are always exceptions of course.
I've been using it on my network for a while now and it
seems to be
relatively stable, and not prone to false positives.
I have seen some indication that this rule leads to a snort
related bug
due to detection of urls without the null byte causing an
alert, perhaps
uricontent is reaching into another area, or something else
I am not
aware of?
-Blake
Matt Jonkman wrote:
> Interesting... Think we can put a depth in or
something? What if we're
> sending a file via http? Surely we'll get falses
there.
>
> Does the http preprocessor strip null bytes?
>
> matt
>
> Blake Hartstein wrote:
>
>> Hi,
>> This rule detects several known issues in web
scripts which allows an
>> attacker to bypass filters and potentially execute
arbitrary code.
>> Additionally, apache will remove null bytes, which
could also indicate
>> an attack, which would not be detected otherwise.
>>
>> These attacks could potentially affect any
language, and thus I have not
>> anchored them to any particular one.
>>
>> I highly recommend enabling this rule on your
network. Please report any
>> false positives you see.
>>
>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS
>> (msg:"BLEEDING-EDGE WEB-MISC Poison Null
Byte";
>> flow:established,to_server;
uricontent:"|00|"; reference:cve,2006-4542;
>> reference:cve,2006-4458; reference:cve,2006-3602;
>>
reference:url,www.security-assessment.com/Whitepapers/0x00_v
s_ASP_File_Uploads.pdf;
>> classtype:web-application-activity; sid:2003???;
rev:1; )
>>
>> -Blake
>>
>>
>
>
--
This email and any files transmitted with it are solely
intended for the use of the addressee(s) and may contain
information that is confidential and privileged. If you
receive this email in error, please advise us by return
email immediately. Please also disregard the contents of the
email, delete it and destroy any copies immediately. Demarc
Security, Inc. does not accept liability for the views
expressed in the email or for the consequences of any
computer viruses that may be transmitted with this email.
This email is also subject to copyright. No part of it
should be reproduced, adapted or transmitted without the
written consent of the copyright owner.
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|
|
| Rule Submit: Poison Null Byte |
|
2006-09-13 17:54:36 |
AHH! Sorry Blake. I read that and saw a content, not the
uricontent. My bad.
I'll post it asap.
Matt
Blake Hartstein wrote:
>
> http_inspect does not strip null bytes, it does however
allow you to
> alert on the null byte in the url, using the
non_rfc_char {...}
> configuration option.
>
> Sending files by http should not likely be using the
uri to send the
> file, but there are always exceptions of course.
>
> I've been using it on my network for a while now and
it seems to be
> relatively stable, and not prone to false positives.
> I have seen some indication that this rule leads to a
snort related bug
> due to detection of urls without the null byte causing
an alert, perhaps
> uricontent is reaching into another area, or something
else I am not
> aware of?
>
> -Blake
>
>
> Matt Jonkman wrote:
>> Interesting... Think we can put a depth in or
something? What if we're
>> sending a file via http? Surely we'll get falses
there.
>>
>> Does the http preprocessor strip null bytes?
>>
>> matt
>>
>> Blake Hartstein wrote:
>>
>>> Hi,
>>> This rule detects several known issues in web
scripts which allows an
>>> attacker to bypass filters and potentially
execute arbitrary code.
>>> Additionally, apache will remove null bytes,
which could also indicate
>>> an attack, which would not be detected
otherwise.
>>>
>>> These attacks could potentially affect any
language, and thus I have not
>>> anchored them to any particular one.
>>>
>>> I highly recommend enabling this rule on your
network. Please report any
>>> false positives you see.
>>>
>>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS
>>> (msg:"BLEEDING-EDGE WEB-MISC Poison Null
Byte";
>>> flow:established,to_server;
uricontent:"|00|"; reference:cve,2006-4542;
>>> reference:cve,2006-4458;
reference:cve,2006-3602;
>>>
reference:url,www.security-assessment.com/Whitepapers/0x00_v
s_ASP_File_Uploads.pdf;
>>>
>>> classtype:web-application-activity;
sid:2003???; rev:1; )
>>>
>>> -Blake
>>>
>>>
>>
>>
>
>
--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort
.com
--------------------------------------------
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|
|
[1-4]
|
|