Project

General

Profile

Actions

Security #4710

closed

tcp: Bypass of Payload Detection on TCP RST with options of MD5header

Added by Chang Zedd almost 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Label:
Needs backport to 5.0, Needs backport to 6.0
Git IDs:

50e2b973eeec7172991bf8f544ab06fb782b97df

Severity:
HIGH
Disclosure Date:

Description

Description
While configuring Suricata on inline mode, it is possible to bypass/evade any http based signature by faking a RST TCP packet with random TCP options of md5header from the client side.

After the three-way handshake packet, it's possible to inject a RST ACK with a random TCP md5header option. Then the client can send http GET request with forbidden URL.
The server will ignore the RST ACK and send the response http packet of the client's request.
These packets will not trigger Suricata reject action.

This strategy both work on 6.0.3 RELEASE and Github latest commit(7.0.0-dev a480ec2ba 2021-09-22)

Server:
apachectl -v
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2021-06-18T11:06:22

Attached

You can find attached :
- test.rule : A http rule that detects the string "ultrasurf"
- without_evasion.pcap : A client which sends the string "ultrasurf" to a server without any evasion technique. It will trigger suricata test.rule REJECT action and receive RST.
- with_evasion.pcap : A client which sends the string "ultrasurf" to a linux apache server (kernel 5.4.0) with this evasion technique
- poc.py : A python script to play the evasion technique


Files

poc.py (1.65 KB) poc.py A python script to play the evasion technique Chang Zedd, 09/26/2021 02:56 AM
test.rule (101 Bytes) test.rule A http rule that detects the string "ultrasurf" Chang Zedd, 09/26/2021 02:56 AM
with_evasion.pcapng (2.15 KB) with_evasion.pcapng A client which sends the string "ultrasurf" to a linux apache server (kernel 5.4.0) with this evasion technique Chang Zedd, 09/26/2021 02:56 AM
without_evasion.pcapng (984 Bytes) without_evasion.pcapng A client which sends the string "ultrasurf" to a server without any evasion technique. Chang Zedd, 09/26/2021 02:56 AM
tcpao.pcap (2.47 KB) tcpao.pcap Philippe Antoine, 10/08/2021 10:06 AM

Related issues 2 (0 open2 closed)

Copied to Suricata - Security #4726: tcp: Bypass of Payload Detection on TCP RST with options of MD5headerClosedShivani BhardwajActions
Copied to Suricata - Security #4727: Bypass of Payload Detection on TCP RST with options of MD5headerClosedJeff LucovskyActions
Actions

Also available in: Atom PDF