Project

General

Profile

Security #4710

Updated by Victor Julien about 3 years ago

*Description* 
 While configuring Suricata on inline mode, it is possible to bypass/evade any http based signature by faking a RST TCP packet with random TCP options of md5header from the client side. 

 After the three-way handshake packet, it's possible to inject a RST ACK with a random TCP md5header option. Then the client can send http GET request with forbidden URL. 
 The server will ignore the RST ACK and send the response http packet of the client's request. 
 These packets will not trigger Suricata reject action. 

 This strategy both work on 6.0.3 RELEASE and Github latest commit(7.0.0-dev a480ec2ba 2021-09-22) 

 *Build Info* 

 suricata --build-info 

 This is Suricata version 7.0.0-dev (a480ec2ba 2021-09-22) 
 Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST  
 SIMD support: SSE_4_2 SSE_4_1 SSE_3  
 Atomic intrinsics: 1 2 4 8 16 byte(s) 
 64-bits, Little-endian architecture 
 GCC version 7.5.0, C version 201112 
 compiled with _FORTIFY_SOURCE=2 
 L1 cache line size (CLS)=64 
 thread local storage method: _Thread_local 
 compiled with LibHTP v0.5.38, linked against LibHTP v0.5.38 

 Suricata Configuration: 
   AF_PACKET support:                         yes 
   eBPF support:                              no 
   XDP support:                               no 
   PF_RING support:                           no 
   NFQueue support:                           yes 
   NFLOG support:                             no 
   IPFW support:                              no 
   Netmap support:                            no  
   DAG enabled:                               no 
   Napatech enabled:                          no 
   WinDivert enabled:                         no 

   Unix socket enabled:                       yes 
   Detection enabled:                         yes 

   Libmagic support:                          yes 
   libjansson support:                        yes 
   hiredis support:                           no 
   hiredis async with libevent:               no 
   PCRE jit:                                  yes 
   LUA support:                               no 
   libluajit:                                 no 
   GeoIP2 support:                            no 
   Non-bundled htp:                           yes 
   Hyperscan support:                         no 
   Libnet support:                            yes 
   liblz4 support:                            yes 

   Rust support:                              yes 
   Rust strict mode:                          no 
   Rust compiler path:                        /usr/bin/rustc 
   Rust compiler version:                     rustc 1.47.0 
   Cargo path:                                /usr/bin/cargo 
   Cargo version:                             cargo 1.46.0 
   Cargo vendor:                              yes 

   Python support:                            yes 
   Python path:                               /usr/bin/python3 
   Python distutils                           yes 
   Python yaml                                yes 
   Install suricatactl:                       yes 
   Install suricatasc:                        yes 
   Install suricata-update:                   no, not bundled 

   Profiling enabled:                         no 
   Profiling locks enabled:                   no 

   Plugin support (experimental):             yes 

 This is Suricata version 6.0.3 RELEASE 
 Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST  
 SIMD support: SSE_4_2 SSE_4_1 SSE_3  
 Atomic intrinsics: 1 2 4 8 16 byte(s) 
 64-bits, Little-endian architecture 
 GCC version 4.2.1 Compatible Clang 6.0.0 (tags/RELEASE_600/final), C version 201112 
 compiled with _FORTIFY_SOURCE=0 
 L1 cache line size (CLS)=64 
 thread local storage method: _Thread_local 
 compiled with LibHTP v0.5.38, linked against LibHTP v0.5.38 

 Suricata Configuration: 
   AF_PACKET support:                         yes 
   eBPF support:                              no 
   XDP support:                               no 
   PF_RING support:                           no 
   NFQueue support:                           yes 
   NFLOG support:                             no 
   IPFW support:                              no 
   Netmap support:                            no  
   DAG enabled:                               no 
   Napatech enabled:                          no 
   WinDivert enabled:                         no 

   Unix socket enabled:                       yes 
   Detection enabled:                         yes 

   Libmagic support:                          yes 
   libnss support:                            yes 
   libnspr support:                           yes 
   libjansson support:                        yes 
   hiredis support:                           no 
   hiredis async with libevent:               no 
   Prelude support:                           no 
   PCRE jit:                                  yes 
   LUA support:                               no 
   libluajit:                                 no 
   GeoIP2 support:                            no 
   Non-bundled htp:                           no 
   Hyperscan support:                         no 
   Libnet support:                            yes 
   liblz4 support:                            yes 
   HTTP2 decompression:                       no 

   Rust support:                              yes 
   Rust strict mode:                          no 
   Rust compiler path:                        /usr/bin/rustc 
   Rust compiler version:                     rustc 1.47.0 
   Cargo path:                                /usr/bin/cargo 
   Cargo version:                             cargo 1.46.0 
   Cargo vendor:                              yes 

   Python support:                            yes 
   Python path:                               /usr/bin/python3 
   Python distutils                           yes 
   Python yaml                                yes 
   Install suricatactl:                       yes 
   Install suricatasc:                        yes 
   Install suricata-update:                   yes 

   Profiling enabled:                         no 
   Profiling locks enabled:                   no 

   Plugin support (experimental):             yes                      


 Server: 
 apachectl -v 
 Server version: Apache/2.4.29 (Ubuntu) 
 Server built:     2021-06-18T11:06:22 

 *Attached* 

 You can find attached : 
 - test.rule : A http rule that detects the string "ultrasurf" 
 - without_evasion.pcap : A client which sends the string "ultrasurf" to a server without any evasion technique. It will trigger suricata test.rule REJECT action and receive RST. 
 - with_evasion.pcap : A client which sends the string "ultrasurf" to a linux apache server (kernel 5.4.0) with this evasion technique 
 - poc.py : A python script to play the evasion technique

Back