Re: New article on SecurityFocus

From: Alexander Sotirov (asotirov@determina.com)
Date: Sat Jan 07 2006 - 01:05:58 EST

• Next message: David Ball: "Re: Difficulties in Network Mapping & port scanning"
• Previous message: Jim Clausing: "RE: New article on SecurityFocus"
• In reply to: H D Moore: "Re: New article on SecurityFocus"
• Next in thread: Thor (Hammer of God): "Re: New article on SecurityFocus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

H D Moore wrote:
> On Wednesday 04 January 2006 19:49, Erin Carroll wrote:
>
>>Out of curiousity has anyone done any testing against
>>the new signatures to determine if they are code specific or if tricks
>>like tagging %0%0 in the payload bypasses them?
>
>
> All of the current IDS/AV signatures are based on the following pattern:
>
> (All values below are in hex)
>
> ---
> [ any number of bytes ]
> (01 or 02) + 00 + 09 + 00
> [ any number of bytes ]
> 26 + 09 + 00

Some AV products might be using this basic signature, but they probably have a
second layer of more complicated checks to avoid false positives. Otherwise
they'll trigger on any WMF file that includes 26 09 00 in some random record.
F-Secure parses the metafile and traverses all records the same way
GDI32!PlayMetaFileRecord does, looking for the META_ESCAPE record. If you can
break their parser and avoid detection, the Windows function will most likely
break too and fail to play your file. It's a pretty solid technique, but of
course, the more complicated your parser gets, the greater the chance of having
a bug in it. They were lucky that WMF is easy to parse.

The IDS systems were the ones that were really screwed. It is much harder to
reassemble TCP, decrypt SSL and parse WMF files on a gigabit link :-)

Alex

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: David Ball: "Re: Difficulties in Network Mapping & port scanning"
• Previous message: Jim Clausing: "RE: New article on SecurityFocus"
• In reply to: H D Moore: "Re: New article on SecurityFocus"
• Next in thread: Thor (Hammer of God): "Re: New article on SecurityFocus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:19 EDT