Re: New Snort Bypass - Patch - Bypass of Patch

To: "M. Dodge Mumford" <dodge@xxxxxxx>
Subject: Re: New Snort Bypass - Patch - Bypass of Patch
From: "Pukhraj Singh" <pukhraj.singh@xxxxxxxxx>
Date: Mon, 5 Jun 2006 16:47:51 +0530
Cc: "Sigint Consulting" <info@xxxxxxxxxxxxxxxxxxxxx>, dailydave@xxxxxxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=PEC4JGOfonWKsmKuvHlvFJK8vVJ7QFirpQEw5aUQQQGxz0z5UxKdB/79CHC1u9GDAi7EgxWth1ppUFKqleXznIvGFWT0goHNDm+fqI4/X5eUgbvW/xYwnjRfcy4+g4WFStZ0EeXOCqZapyce8+gp20BCgoMN+vG4MRU9NwhFpSA=
In-reply-to: <20060603161257.GJ846@xxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20060601222659.1b1507a04a440dbbe6ab6eabc5c58a9e.aa242c51dd.wbe@xxxxxxxxxxxxxxxxxxxxxx> <20060602231638.GE846@xxxxxxx> <20060603161257.GJ846@xxxxxxx>

Apache uses a modified version of the isspace() macro. So it allows
\f,\n,\r,\t (\v is not allowed, as far as I can recall) as whitespace.
I know this affected lot of IPSes.

Thanks,
Pukhraj

On 6/3/06, M. Dodge Mumford <dodge@xxxxxxx> wrote:

[Sorry to reply to my own post, but...]

M. Dodge Mumford said:
> Sigint Consulting said:
> > perl -e 'print "GET \x0d/index.php\x90\x90 HTTP/1.0\n\r\n"'|nc
> > 192.168.1.3 80
> >
> > No alert is generated from the string above.
>
> [...]
>
> > We are not sure how much this may buy an attacker as the CR character
> > may mess up any requests to the webserver, further research is needed
> > on this.
>
> I performed this research while developing NFR's web signatures, and found
> that all web servers I tested (several years ago) handled end-of-lines using
> "\x0d\x0a" and "\x0a" interchangeably. If you find a web server that
> interprets "index.php" in the example above as an actual filename, I for one
> would be very interested in knowing about it.

Apparently my memory is failing. If I performed this test, I remembered the
results incorrectly.  Mea culpa.


--

Dodge

References:
- New Snort Bypass - Patch - Bypass of Patch
  - From: Sigint Consulting
- Re: New Snort Bypass - Patch - Bypass of Patch
  - From: M. Dodge Mumford
- Re: New Snort Bypass - Patch - Bypass of Patch
  - From: M. Dodge Mumford

Prev by Date: Dmx Forum <= v2.1a Remote Passwords Disclosure
Next by Date: Personal Information Disclosure/Account Hijacking Vulerability in mafia online games
Previous by thread: Re: New Snort Bypass - Patch - Bypass of Patch
Next by thread: aspWebLinks 2.0 Remote SQL Injection / Admin Pass Change Exploit
Index(es):
- Date
- Thread