Project

General

Profile

Actions

Security #4726

closed

tcp: Bypass of Payload Detection on TCP RST with options of MD5header

Added by Jeff Lucovsky about 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:
Severity:
HIGH
Disclosure Date:

Description

Description
While configuring Suricata on inline mode, it is possible to bypass/evade any http based signature by faking a RST TCP packet with random TCP options of md5header from the client side.

After the three-way handshake packet, it's possible to inject a RST ACK with a random TCP md5header option. Then the client can send http GET request with forbidden URL.
The server will ignore the RST ACK and send the response http packet of the client's request.
These packets will not trigger Suricata reject action.

This strategy both work on 6.0.3 RELEASE and Github latest commit(7.0.0-dev a480ec2ba 2021-09-22)

Build Info

suricata --build-info

This is Suricata version 7.0.0-dev (a480ec2ba 2021-09-22)
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 7.5.0, C version 201112
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.38, linked against LibHTP v0.5.38

Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no

Unix socket enabled:                     yes
Detection enabled: yes
Libmagic support:                        yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
PCRE jit: yes
LUA support: no
libluajit: no
GeoIP2 support: no
Non-bundled htp: yes
Hyperscan support: no
Libnet support: yes
liblz4 support: yes
Rust support:                            yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.47.0
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.46.0
Cargo vendor: yes
Python support:                          yes
Python path: /usr/bin/python3
Python distutils yes
Python yaml yes
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: no, not bundled
Profiling enabled:                       no
Profiling locks enabled: no
Plugin support (experimental):           yes

This is Suricata version 6.0.3 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.2.1 Compatible Clang 6.0.0 (tags/RELEASE_600/final), C version 201112
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.38, linked against LibHTP v0.5.38

Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no

Unix socket enabled:                     yes
Detection enabled: yes
Libmagic support:                        yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
GeoIP2 support: no
Non-bundled htp: no
Hyperscan support: no
Libnet support: yes
liblz4 support: yes
HTTP2 decompression: no
Rust support:                            yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.47.0
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.46.0
Cargo vendor: yes
Python support:                          yes
Python path: /usr/bin/python3
Python distutils yes
Python yaml yes
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled:                       no
Profiling locks enabled: no
Plugin support (experimental):           yes

Server:
apachectl -v
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2021-06-18T11:06:22

Attached

You can find attached :
- test.rule : A http rule that detects the string "ultrasurf"
- without_evasion.pcap : A client which sends the string "ultrasurf" to a server without any evasion technique. It will trigger suricata test.rule REJECT action and receive RST.
- with_evasion.pcap : A client which sends the string "ultrasurf" to a linux apache server (kernel 5.4.0) with this evasion technique
- poc.py : A python script to play the evasion technique


Files

poc.py (1.65 KB) poc.py A python script to play the evasion technique Chang Zedd, 09/26/2021 02:56 AM
test.rule (101 Bytes) test.rule A http rule that detects the string "ultrasurf" Chang Zedd, 09/26/2021 02:56 AM
with_evasion.pcapng (2.15 KB) with_evasion.pcapng A client which sends the string "ultrasurf" to a linux apache server (kernel 5.4.0) with this evasion technique Chang Zedd, 09/26/2021 02:56 AM
without_evasion.pcapng (984 Bytes) without_evasion.pcapng A client which sends the string "ultrasurf" to a server without any evasion technique. Chang Zedd, 09/26/2021 02:56 AM

Related issues 1 (0 open1 closed)

Copied from Suricata - Security #4710: tcp: Bypass of Payload Detection on TCP RST with options of MD5headerClosedVictor JulienActions
Actions #1

Updated by Jeff Lucovsky about 3 years ago

  • Copied from Security #4710: tcp: Bypass of Payload Detection on TCP RST with options of MD5header added
Actions #2

Updated by Victor Julien almost 3 years ago

  • Subject changed from Bypass of Payload Detection on TCP RST with options of MD5header to tcp: Bypass of Payload Detection on TCP RST with options of MD5header
  • Severity changed from MODERATE to HIGH
Actions #3

Updated by Victor Julien almost 3 years ago

  • Status changed from Assigned to Closed
Actions #4

Updated by Victor Julien almost 3 years ago

  • Private changed from Yes to No
Actions #5

Updated by Victor Julien almost 3 years ago

  • CVE set to 2021-45098
Actions

Also available in: Atom PDF