Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

Cisco NIDS vulnerable to insertion attacks (please verify)

  • Other Security Subjects
4 REPLIES
New Member

Re: Cisco NIDS vulnerable to insertion attacks (please verify)

Problem with the post earlier.....

I grabbed the latest version of nessus and finally got around to testing out the built-in IDS evasion tactics.

I did a quick test by test firing a get /cgi-bin/phf against a web server; the traffic is detected by one of my sensors.

I selected the insertion method of IDS evasion and found that the sensor did not detect the attack. The attack arrived at the web server and was interpreted correctly by the web server.

There are a few different ways to perform an insertion attack against an IDS, and the way Nessus implements it is to split up the http data with null packets... for example,

Send the 'G'

Send a null

Send a null

Send the 'E'

Send a null

Send the 'T'

Send a null

Send a null

Send a null

and so forth. The actual stream of the attack has 'nulls' inserted as real traffic between the attack. The IDS takes all that data and reassembles it, but concludes it does not match the 'trigger' string /phf.

However the data arrives at the web server, and the web server duly strips off the nulls and reassembles the attack data.

I'd appreciate it if anyone else has tried testing these techniques.

It's a painful process, but I'd be interested to see how many of the nessus vulnerability tests can evade a NID using insertion.

Cisco Employee

Re: Cisco NIDS vulnerable to insertion attacks (please verify)

Looks like ther eis a bug in our deobfuscator. Thank you for pointing this out. We strive to remain as current as possible on the newest IDS evasion techniques and even ahead if we can think of something before the others do, but as you pointed out trying every weird combination of thing that you can think of would be quite time consuming. We will address this limitation immediately.

Please watch this thread for an engineering build that addresses this problem.

New Member

Re: Cisco NIDS vulnerable to insertion attacks (please verify)

I presume you mean the HTTP deobfuscsator?

I picked the phf test just for something quick, I tried ftp-ing to a box, and retriving the /etc/passwd file.

THis should trigger the string match, but it didn't.

The technique of inserting nulls to evade an IDS goes beyond the HTTP deobfuscator I would think.

Cisco Employee

Re: Cisco NIDS vulnerable to insertion attacks (please verify)

You are correct that this technique will extend beyond the webservers. We have similar preprocessors for other TCP services and they will need to be updated as well. For instance we have a preprocessor that removes telnet options from the FTP and SMTP streams. We will have to investigate which servers are ignoring the nulls and which server types are not. To further complicate matters we may find that some ftp servers will incoroporate the nulls while some (like yours might ignore them). I don't know what the outcome of this will be yet, but rest assured we will incorporate this as appropriate into all of our stream based inspection engines.

109
Views
0
Helpful
4
Replies