[type TITLE here]

Download Report

Transcript [type TITLE here]

Advanced Network Based IPS Evasion Techniques
Antti Levomäki, Christian Jalio, Olli-Pekka Niemi
28 October 2009
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Hack.Lu 2009
Introduction
 Intrusion Prevention Systems should protect vulnerable
hosts from remote exploits
 Exploits can apply multiple evasion method to bypass the
detection of Intrusion Prevention Systems and break into
the remote system
Copyright © 2009 Stonesoft Corporation. All rights reserved.
 There are hacking tools which apply multiple evasion
techniques
 However, these tools are more exploit oriented and not
evasion oriented
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Known Evasions Implemented various testing tools…
 IP Fragmentation with manipulated fragment size and order
 TCP segmentation with manipulated segment size and order
 SMB Fragmentation
 SMB Transaction Write Method
 MSRPC Multibind (bind to multiple ”unnecessary or non-existent”
context + the vulnerable context
 MSRPC fragmentation
 MSRPC encryption
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Not So Known Evasions, Implemented in ???
 IP Random Options
 TCP Time Wait
 TCP Urgent Pointer
 SMB Write/Read Padding
 SMB Transaction Method fragmentation
 SMB Session Mixing
 MSRPC Alter Context

MSRPC Object Reference
 MSRPC Endian Manipulation
Copyright © 2009 Stonesoft Corporation. All rights reserved.
The Power of Evasion Methods
 IPS signatures can be evaded completely if the
protocol stacks do not understand the evasions
and normalize the traffic
 Example: SMB and MSRPC signatures should not
worry about fragmentation, padding , extra
methods or other randomizations
Copyright © 2009 Stonesoft Corporation. All rights reserved.
IP
Random Options
 Fill IP Packet with random Options
 If the target host and the IPS device disagree
about the validity of the packet, the target
host may see different data than the IPS
Copyright © 2009 Stonesoft Corporation. All rights reserved.
TCP Evasion
TCP Time Wait
 Open and close a TCP connection. Open a new TCP-
connection to the same service using the same TCPsource port.
 According the TCP RFC, the TCP client MUST wait ”TIME-Wait
Delay” amount of seconds before reusing a port.
 If the attacker uses his own TCP/IP Stack, he can open
and close a TCP-connection and immediately open a
new TCP connection using the same source port.
 The IPS stack should handle new connections as new
connections regardless of the TIME-Wait-Delay
Copyright © 2009 Stonesoft Corporation. All rights reserved.
TCP Evasion
TCP Urgent Pointer
 Insert one byte into a TCP-stream.
 TCP-Server chooses whether to use or discard the
added byte.
 An IPS device inspection can be evaded by clever
use of the urgent pointer.
 Example
 TCP Stream: GETP /
 IPS sees:
GETP /
 Apache sees: GET /
(P is urgent data)
Copyright © 2009 Stonesoft Corporation. All rights reserved.
SMB Evasion
SMB Session Mixing
 It is possible to use multiple resources over the
same SMB-session within the single TCPconnection at same time.
 Simultaneously read and write into multiple files
Copyright © 2009 Stonesoft Corporation. All rights reserved.
SMB Evasion
SMB Write/Read Padding
 The write and read commands have an offset
pointer that can be used for padding.
 All data after the SMB header till the pointed
byte should be discarded.
Copyright © 2009 Stonesoft Corporation. All rights reserved.
SMB Evasion
SMB Transaction Method
 SMB Trans Act Write Method
 The SMB Protocol allows the fragmentation of
Transaction messages by using ”Transaction
secondary” messages.
Copyright © 2009 Stonesoft Corporation. All rights reserved.
MSRPC Evasion
MSRPC Object Reference
 MSRPC Object Reference
 Adding an Object Reference (UUID) to an MSRPC
Request Header enlarges the header by 16 bytes,
and thus moves the MSRPC payload 16 bytes
forward.
Copyright © 2009 Stonesoft Corporation. All rights reserved.
MSRPC Evasion
Alter Context
 The client may change the current context
using the Alter Context Method. All
subsequent requests then go to the new
context
 Example: The client binds to non vulnerable context
and then changes into a vulnerable context and
sends the exploit.
Copyright © 2009 Stonesoft Corporation. All rights reserved.
MSRPC Endianness
 MSRPC protocol allows both big- and littleendian encoding
 Windows hosts normally use the little-endian
encoding
 Hackers should use big endian for obvious reasons…
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Introducing Predator
 Evasion Fuzzer
 Use multiple random evasion techniques
simultaneously in multiple layers
 Transmit the same payload until successful
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Evasions in Predator
 Evasions for attack "CVE-2008-4250 “
 IP fragmentation, --ip_frag:









8byte: Fragment IP payload into 8 byte fragments
16byte: Fragment IP payload into 16 byte fragments
24byte Fragment IP payload into 24 byte fragments
256byte Fragment IP payload into 256 byte fragments
random_order: Send fragments in a random order
out_of_order: Send one fragment out of order
fwd_overwrite Perform forward overwriting with fragments
last_first Send last fragment first
one_duplicate Send one duplicate fragment
 IP evasion, --ip_evasion:

random_options: Send random IP options
Copyright © 2009 Stonesoft Corporation. All rights reserved.
 TCP fragmentation, --tcp_frag:

1byte Fragment TCP payload into 1 byte segments
 TCP evasion, --tcp_evasion:


time_wait Open a decoy connection and attack from same ip:port while in time-wait
urgent_ptr Insert meaningless data into 1 byte urgent segments
Copyright © 2009 Stonesoft Corporation. All rights reserved.
 SMB fragmentation, --smb_frag:


16byte Fragment SMB payload into 16 byte fragments
256byte Fragment SMB payload into 256 byte fragments
 SMB evasion, --smb_evasion:







andx_connect Negotiate SMB session and connect to a tree connect an AndX
message
decoy_trees Open decoy SMB tree connects in the same TCP stream as the attack
read_offset Use random offsets in SMB read operations
pad_write_random Pad SMB write commands with a random sized block of random
data
pad_write_static Pad SMB write commands with a static sized block of random data
random_write_method Use a random SMB write method ( TRANSACT / WRITE )
write_offset Use random offsets in SMB write operation
Copyright © 2009 Stonesoft Corporation. All rights reserved.
 MSRPC fragmentation, --msrpc_



frag: 16byte Fragment MSRPC payload into 16 byte fragments
256byte Fragment MSRPC payload into 256 byte fragments
MSRPC evasion, --msrpc_evasion:



big_endian Communicate in big endian format
random_object: Add a random object reference to MSRPC requests
alter_context: Bind to a random context and then alter to the correct
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Hunting High and Low
Initializing IPForge based on the configuration..
Started at IP 10.0.215.32, MAC de:ad:01:00:01:02. Attacking against 10.0.215.101
Exploit run 1: TCP fragstyle: 1byte, TCP evasion: urgent_ptr, SMB fragstyle: 16byte, MSRPC evasion:
random_object}
Exploit run 2: SMB evasion: read_offset, MSRPC evasion: big_endian,random_object,alter_context}
Exploit run 3: SMB evasion: decoy_trees,pad_write_static, MSRPC evasion: random_object,alter_context}
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Copyright © 2009 Stonesoft Corporation. All rights reserved.
Hunting High and Low
Initializing IPForge based on the configuration..
Started at IP 10.0.215.32, MAC de:ad:01:00:01:02. Attacking against 10.0.215.101
Exploit run 1: TCP fragstyle: 1byte, TCP evasion: urgent_ptr, SMB
evasion:andx_connect,pad_write_static,random_write_method,write_offset, MSRPC evasion:
alter_context}
Exploit run 2: TCP evasion: time_wait, SMB evasion: decoy_trees,read_offset,pad_write_static
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Copyright © 2009 Stonesoft Corporation. All rights reserved.
DEMO
Copyright © 2009 Stonesoft Corporation. All rights reserved.
www.stonesoft.com
Slide 24
Copyright © 2009 Stonesoft Corporation. All rights reserved.