Re: HIPS Buffer Overflow Protection - Bypass

From: Sanjay R (2sanjayr@gmail.com)
Date: Wed Nov 15 2006 - 22:44:45 EST

• Next message: Justin Lintz: "Re: Call Center Security Testing"
• Previous message: Drexx Laggui [personal]: "Re: DDOS Products"
• In reply to: dfullerton@mantor.org: "Re: HIPS Buffer Overflow Protection - Bypass"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Bart:
As mentioned by Danny, HIPS under testing is targeting only exploit
codes and few commonly used shellcodes. The signatures are being
written for exploit codes, not for vulerabilities. Otherwise, MS06-040
exploit must had been detected, irrespective of shellcodes. I think,
if it is not that confidential, it would be good if you mention the
product names, so that those companies as well as other users will
come to know about the right picture.

thanks
-Sanjay
On 11/16/06, dfullerton@mantor.org <dfullerton@mantor.org> wrote:
> Bart,
>
> Basically this means that this HIPS does not detect nor protect against this buffer overflow. Looks like the only thing detected by the IPS was the different Metasploit payload except the "adduser" one (the actual shellcode signature). Consequently, we can say that any custom payload would go undetected. Signature-based recognition is one part of the whole detection picture and looks like this IPS can't do much in others portions of detection/prevention for this vulnerability such as stack protection (write and execution of stack memory segment) and heuristic.
>
> Danny Fullerton
> IT security Specialist
> Mantor Organization
>
> ___________________________________
> NOCC, http://nocc.sourceforge.net
>
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>

-- 
PhD
Intoto Softwares, Hyderabad, India
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Justin Lintz: "Re: Call Center Security Testing"
• Previous message: Drexx Laggui [personal]: "Re: DDOS Products"
• In reply to: dfullerton@mantor.org: "Re: HIPS Buffer Overflow Protection - Bypass"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:19 EDT