BugTraq
Re: Re: Verified evasion in Snort Feb 02 2006 10:11PM
anonpoet inconnu isu edu (1 replies)
<pre>
There seems to be some confusion about the fragmentation IDS evasion. We've observed
fragmentation timeouts on windows from 5 seconds to 90 seconds depending on the
software installed and random chance. Here are raw dumps from an evasion.

The mistake Judy Novak made in her analysis was in not recalculating the delay between
the first fragment and the other two fragments. If it is too short the target will reassemble
the first two fragments and find an invalid checksum discarding the packet. No ICMP
response will be sent.

Some experimentation will have to be done to find the correct timeout. It can be done
remotely by increasing the time between two good fragments until a reply isn't sent.
(Windows boxes don't seem to send out a frag time exceeded on anything other than
the first fragment.)

Here's a packet dump to verify that Snort's frag2 preprocessor is working:

16:04:18.155735 IP (tos 0x0, ttl 64, id 15537, offset 0, flags [+], proto: ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: ICMP echo request, id 33334, seq 83, length 8
0x0000: 0011 2f7e db0b 000d 93b4 d31a 0800 4500 ../~..........E.
0x0010: 001c 3cb1 2000 4001 0054 0a04 04d9 0a04 ..<... (at) ..T.... (dot) . [email concealed]
0x0020: 04fc 0800 5446 8236 0053 5555 5555 5555 ....TF.6.SUUUUUU
0x0030: 5555 5555 5555 5555 5555 5555 UUUUUUUUUUUU
16:04:18.178271 IP (tos 0x0, ttl 64, id 15537, offset 8, flags [none], proto: ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: icmp
0x0000: 0011 2f7e db0b 000d 93b4 d31a 0800 4500 ../~..........E.
0x0010: 001c 3cb1 0001 4001 2053 0a04 04d9 0a04 ..<... (at) ..S.... (dot) . [email concealed]
0x0020: 04fc 4241 4453 5455 4646 5555 5555 5555 ..BADSTUFFUUUUUU
0x0030: 5555 5555 5555 5555 5555 5555 UUUUUUUUUUUU
16:04:18.178325 IP (tos 0x0, ttl 128, id 57573, offset 0, flags [none], proto: ICMP (1), length: 36) 10.4.4.252 > 10.4.4.217: ICMP echo reply, id 33334, seq 83, length 16
0x0000: 000d 93b4 d31a 0011 2f7e db0b 0800 4500 ......../~....E.
0x0010: 0024 e0e5 0000 8001 3c17 0a04 04fc 0a04 .$......<.......
0x0020: 04d9 0000 5c46 8236 0053 4241 4453 5455 ....\F.6.SBADSTU
0x0030: 4646 0000 0000 0000 0000 0000 FF..........

[**] [1:384:5] Found BadStuff [**]
[Classification: Misc activity] [Priority: 3]
02/02-16:04:18.178271 10.4.4.217 -> 10.4.4.252
ICMP TTL:64 TOS:0x0 ID:15537 IpLen:20 DgmLen:36
Type:8 Code:0 ID:33334 Seq:83 ECHO

[**] [1:384:5] Found Generic ICMP Packet [**]
[Classification: Misc activity] [Priority: 3]
02/02-16:04:18.178271 10.4.4.217 -> 10.4.4.252
ICMP TTL:64 TOS:0x0 ID:15537 IpLen:20 DgmLen:36
Type:8 Code:0 ID:33334 Seq:83 ECHO

With no delay snort properly reassembles the fragments and generates an alert. With a delay, the target doesn't reassemble, but
Snort still generates an alert.

16:01:33.951416 IP (tos 0x0, ttl 64, id 12524, offset 0, flags [+], proto: ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: ICMP echo request, id 33334, seq 83, length 8
0x0000: 0011 2f7e db0b 000d 93b4 d31a 0800 4500 ../~..........E.
0x0010: 001c 30ec 2000 4001 0c19 0a04 04d9 0a04 ..0... (at) ....... (dot) . [email concealed]
0x0020: 04fc 0800 5446 8236 0053 5555 5555 5555 ....TF.6.SUUUUUU
0x0030: 5555 5555 5555 5555 5555 5555 UUUUUUUUUUUU
16:02:38.281468 IP (tos 0x0, ttl 128, id 57570, offset 0, flags [none], proto: ICMP (1), length: 56) 10.4.4.252 > 10.4.4.217: ICMP ip reassembly time exceeded, length 36
IP (tos 0x0, ttl 64, id 12524, offset 0, flags [+], proto: ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: ICMP echo request, id 33334, seq 83, length 8
0x0000: 000d 93b4 d31a 0011 2f7e db0b 0800 4500 ......../~....E.
0x0010: 0038 e0e2 0000 8001 3c06 0a04 04fc 0a04 .8......<.......
0x0020: 04d9 0b01 162f 0000 0000 4500 001c 30ec ...../....E...0.
0x0030: 2000 4001 0c19 0a04 04d9 0a04 04fc 0800 .. (at) ........... (dot) . [email concealed]
0x0040: 5446 8236 0053 TF.6.S
16:03:04.977353 IP (tos 0x0, ttl 64, id 12524, offset 8, flags [none], proto: ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: icmp
0x0000: 0011 2f7e db0b 000d 93b4 d31a 0800 4500 ../~..........E.
0x0010: 001c 30ec 0001 4001 2c18 0a04 04d9 0a04 ..0...@.,.......
0x0020: 04fc 4241 4453 5455 4646 5555 5555 5555 ..BADSTUFFUUUUUU
0x0030: 5555 5555 5555 5555 5555 5555 UUUUUUUUUUUU

[**] [1:384:5] Found BadStuff [**]
[Classification: Misc activity] [Priority: 3]
02/02-16:03:04.977353 10.4.4.217 -> 10.4.4.252
ICMP TTL:64 TOS:0x0 ID:12524 IpLen:20 DgmLen:36
Type:8 Code:0 ID:33334 Seq:83 ECHO

[**] [1:384:5] Found Generic ICMP Packet [**]
[Classification: Misc activity] [Priority: 3]
02/02-16:03:04.977353 10.4.4.217 -> 10.4.4.252
ICMP TTL:64 TOS:0x0 ID:12524 IpLen:20 DgmLen:36
Type:8 Code:0 ID:33334 Seq:83 ECHO

With a delay of 91 seconds, the IDS evasion works and we get back a properly reassembled ICMP reply.

15:57:17.846828 IP (tos 0x0, ttl 64, id 12603, offset 8, flags [none], proto: ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: icmp
0x0000: 0011 2f7e db0b 000d 93b4 d31a 0800 4500 ../~..........E.
0x0010: 001c 313b 0001 4001 2bc9 0a04 04d9 0a04 ..1;.. (at) .+..... (dot) . [email concealed]
0x0020: 04fc 474f 4453 5455 4646 5555 5555 5555 ..GODSTUFFUUUUUU
0x0030: 5555 5555 5555 5555 5555 5555 UUUUUUUUUUUU
15:58:48.873073 IP (tos 0x0, ttl 64, id 12603, offset 0, flags [+], proto: ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: ICMP echo request, id 33334, seq 83, length 8
0x0000: 0011 2f7e db0b 000d 93b4 d31a 0800 4500 ../~..........E.
0x0010: 001c 313b 2000 4001 0bca 0a04 04d9 0a04 ..1;.. (at) ....... (dot) . [email concealed]
0x0020: 04fc 0800 5446 8236 0053 5555 5555 5555 ....TF.6.SUUUUUU
0x0030: 5555 5555 5555 5555 5555 5555 UUUUUUUUUUUU
15:58:48.892586 IP (tos 0x0, ttl 64, id 12603, offset 8, flags [none], proto: ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: icmp
0x0000: 0011 2f7e db0b 000d 93b4 d31a 0800 4500 ../~..........E.
0x0010: 001c 313b 0001 4001 2bc9 0a04 04d9 0a04 ..1;.. (at) .+..... (dot) . [email concealed]
0x0020: 04fc 4241 4453 5455 4646 5555 5555 5555 ..BADSTUFFUUUUUU
0x0030: 5555 5555 5555 5555 5555 5555 UUUUUUUUUUUU
15:58:48.892644 IP (tos 0x0, ttl 128, id 57559, offset 0, flags [none], proto: ICMP (1), length: 36) 10.4.4.252 > 10.4.4.217: ICMP echo reply, id 33334, seq 83, length 16
0x0000: 000d 93b4 d31a 0011 2f7e db0b 0800 4500 ......../~....E.
0x0010: 0024 e0d7 0000 8001 3c25 0a04 04fc 0a04 .$......<%......
0x0020: 04d9 0000 5c46 8236 0053 4241 4453 5455 ....\F.6.SBADSTU
0x0030: 4646 0000 0000 0000 0000 0000 FF..........

There were no snort alerts. We haven't tried frag3, but fragments generally aren't delayed in the wild so an
alert on all fragments more than a second apart would probably be effective.

Jason Larsen
Mike Milvich

</pre>

[ reply ]
Re: Re: Verified evasion in Snort Feb 03 2006 03:03PM
Dave Korn (davek_throwaway hotmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus