[ANN]: N.A.D.S. Normalized Attack Detection System

Hello,

Announcing nads-0.1, this is a little bit of concept code which I hope to grow over the next few months which normalizes HTTP URLs. It is implemented as a library (DSO) written in C and should be fairly portable (even for non-gcc compilers). It is free software released under the terms of the GNU GPL. You can download it at:

http://www.scaramanga.co.uk/nads/nads-0.1.tar.gz

It currently normalizes the following evasion techniques:  o Strips out query string
 o Hex encoding (including double hex encoding)  o MS UTF-16 (%uNNNN)
 o Overlong UTF-8 encodings
 o Double slashes
 o Backslashes
 o Case normalization
 o . and .. normalized out (eg /./foo/../bar/ becomes /bar/)

Some of these things are specific to webservers, so there is an API to select which webserver to emulate. It's pretty flexible.

Here is an example. The URL starts like this (unicode exploit caught in the wild):

/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe

Then it gets hex decoded:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

/msadc/..%5c../..%5c../..%5c/..Á^\../..Á^\../..Á^\../winnt/system32/cmd.exe

Then it gets hex decoded again (the emulation type is set to IIS).

/msadc/..\../..\../..\/..Á^\../..Á^\../..Á^\../winnt/system32/cmd.exe

Then overlong UTF-8 encodings are removed:

/msadc/..\../..\../..\/..\../..\../..\../winnt/system32/cmd.exe

Then the path components are normalized:

/msadc/../../../../../../../../../../../winnt/system32/cmd.exe

Then the code throws up an error, due to accessing files outside the webroot.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The plans are to also add a squid ACL helper with fast signature matching support to provide a free web application layer firewall / IPS.

Enjoy! :)

-- 

// Gianni Tedesco (gianni at scaramanga dot co dot uk)


lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D