Project

General

Profile

Actions

Bug #1656

closed

several silent bypasses at the HTTP application level (chunking, compression, HTTP 0.9...)

Added by Steffen Ullrich almost 9 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I'm the author of the HTTP evader test suite which implements various ways to bypass IDS and IPS at the HTTP application level.
While Suricata (contrary to some other major IDS) attempts to properly parse HTTP their are still some bypasses possible.

All tests were done with suricata 2.0.11 on Ubuntu 15.10. The binary was taken from the official PPA on 2016/01/02. The tests were done against a pcap file created by my HTTP evader test tool. All tests inside this pcap file transport the EICAR test virus. Only tests are included where at least one of the major browsers (IE11, Edge, Firefox, Chrome, Safari, Opera) successfully loaded the payload. Since the pcap is too large to attach it will be temporarily available from http://noxxi.de/research/http-evader.pcap.bz2

The following major problems can be seen:

  • Transfer-Encoding:
    • The code in libhtp explicitly checks for "chunked" and if any other value is given the setting is silently ignored and it continues to check the content-length. Thus it will assume that the content is not chunked if multiple headers are given (maybe junk headers) or if "chunked" is only a substring of the header. The browser behave differently, i.e. Edge and IE use the first header and for the other browsers it is enough if any header is set to "chunked". With Safari it is enough that "chunked" is contained in a substring ("xchunkedy") while Firefox needs at least some word boundary ("x chunked"). Invalid Transfer-Encoding headers are simply ignored by all browsers.
    • Chunked Encoding is only defined with HTTP/1.1. Thus a "Transfer-Encoding: chunked" header inside a HTTP/1.0 response must be ignored. Most browsers behave this way but Safari (and squid proxy) ignore the HTTP version restriction.
    • Several browsers ignore invalid characters around the size specification of a chunk, i.e. "\vHexsize" (Firefox) or "Hexsize\v" (Firefox, IE, Edge). Suricata fails to parse these sizes and no alerts or other log messages point out the problem. Based on the code in libhtp there should be HTP_LOG_WARNING in this case but I can not find a way to make Suricata log these warnings (eve-log level is the default Info).
    • see also http://noxxi.de/research/http-evader-explained-3-chunked.html
  • Content-Encoding:
    • No support for lzma (Opera). Chrome and Opera also support sdch but I have no tests for this. And with version 44 Firefox will support brotli, but only with https.
    • Deflate is only implemented as RFC1951 (raw deflate). But the HTTP specification did actually mean with "deflate" the "zlib" Encoding (RFC1950) and all browsers except IE support this encoding (additionally to raw deflate). See also http://noxxi.de/research/http-evader-explained-2-deflate.html.http://noxxi.de/research/http-evader.html
    • Any unsupported encodings are silently ignored (also logged with HTP_LOG_WARNING according to source code of libhtp). This not only means the encodings above but also when the encoding name does not fully match the expected name. Thus browsers accept also "deflate,gzip" which is interpreted as double compression in Firefox and Chrome, single deflate in Safari and no compression in IE and Edge. See also http://noxxi.de/research/http-evader-explained-4-double-encoding.html.
    • Decompression errors are ignored too (should also be logged with HTP_LOG_WARNING but nothing shows in the logs). This includes missing or invalid body CRC and length, used of reserved flags and invalid header CRC. But several browsers ignore some or all of these problems, see http://noxxi.de/research/http-evader-explained-5-gzip.html.
  • Other problems
    • HTTP 0.9 style responses (i.e. no HTTP header) are simply passed through. These responses are accepted by all browsers except Safari. Maybe libhtp would log this too but again I could find no way to make Suricate show the problem. See http://noxxi.de/research/http-evader-explained-1-http09.html
    • Most browsers accept a single \r as a delimiter between lines which can be used to hide essential headers, i.e. "HTTP/1.1 200 ok\rTransfer-Encoding: chunked\r\n"
    • Suricata assumes that 100, 101, 102 will not have a body. While this should be true browsers behave differently, see http://noxxi.de/research/http-evader-explained-7-lucky-number.html

There are several other problems related to white-space or special characters, junk at the beginning etc. It's best to run all the tests in the pcap file.
For more information about all the tests see http://noxxi.de/research/http-evader.html.


Files

all-relevant-tests.pcap.gz (68.5 KB) all-relevant-tests.pcap.gz Steffen Ullrich, 01/02/2016 03:39 PM
Actions

Also available in: Atom PDF