Top Banner
Attack Transformation to Evade Intrusion Detection Xitao Wen Xin Zhao Taiyo Sogawa
18

Xitao Wen Xin Zhao Taiyo Sogawa. Protocol-level vulnerability and attack Defense: Intrusion Detection/Prevention Our goal o Defeat Cisco IPS by manipulating.

Dec 31, 2015

Download

Documents

Oscar Morgan
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Xitao Wen Xin Zhao Taiyo Sogawa. Protocol-level vulnerability and attack Defense: Intrusion Detection/Prevention Our goal o Defeat Cisco IPS by manipulating.

Attack Transformation to

Evade Intrusion Detection

Xitao WenXin Zhao

Taiyo Sogawa

Page 2: Xitao Wen Xin Zhao Taiyo Sogawa. Protocol-level vulnerability and attack Defense: Intrusion Detection/Prevention Our goal o Defeat Cisco IPS by manipulating.

Introduction

• Protocol-level vulnerability and attack

• Defense: Intrusion Detection/Prevention

• Our goalo Defeat Cisco IPS by manipulating protocol-level

attack payload

Page 3: Xitao Wen Xin Zhao Taiyo Sogawa. Protocol-level vulnerability and attack Defense: Intrusion Detection/Prevention Our goal o Defeat Cisco IPS by manipulating.

But how?

We could know

• Cisco IPS signatureso which tells what can be detected

• Vulnerability descriptiono which tells how the vul is triggered

By comparing the two, we can understand the flaw of the signatures.

Page 4: Xitao Wen Xin Zhao Taiyo Sogawa. Protocol-level vulnerability and attack Defense: Intrusion Detection/Prevention Our goal o Defeat Cisco IPS by manipulating.

Related work

Academic work◦ A comparison of Intrusion Detection systems

(2001), by E. Biermann, etc.◦ Research in Intrusion-Detection Systems (1999):

A Survey, by S Axelsson. Commercial test on IPS

◦ NSS labs: test 1000 wild exploits on commercial IPS

No research on robustness and expressiveness on signatures.

Page 5: Xitao Wen Xin Zhao Taiyo Sogawa. Protocol-level vulnerability and attack Defense: Intrusion Detection/Prevention Our goal o Defeat Cisco IPS by manipulating.

Selecting Vulnerabilities

Chose vulnerabilities based on whether…◦ open source◦ current◦ an IPS Signature exists

Installed correct versions of software on Linux machine and tested if they ran correctly

Throw aways:PHP : horde CVE-2012-0209

Oracle: CVE-2010-3585 SquirrelMail: CVE-2003-0990

Decide to use Samba and Mysql SSL

Page 6: Xitao Wen Xin Zhao Taiyo Sogawa. Protocol-level vulnerability and attack Defense: Intrusion Detection/Prevention Our goal o Defeat Cisco IPS by manipulating.

Samba• Open source network file system

• Implementation of SMB (Server Message Block)/ CIFS (Common Internet File System)

• Allows transferring files between windows and linux machines

Page 7: Xitao Wen Xin Zhao Taiyo Sogawa. Protocol-level vulnerability and attack Defense: Intrusion Detection/Prevention Our goal o Defeat Cisco IPS by manipulating.

Samba trans2.c Vulnerability

Page 8: Xitao Wen Xin Zhao Taiyo Sogawa. Protocol-level vulnerability and attack Defense: Intrusion Detection/Prevention Our goal o Defeat Cisco IPS by manipulating.

Cisco Signature for CVE-2003-0201

\xff\x53\x4d\x42\x32[\x00-\xff] +

\x00\x14 ((\x04[^\x00]) |

[\x05-\xff])

(Equivalent to *)

(Not x00)

(Or x05-xff)

(Specs for Cisco signature 3325/0)

Page 9: Xitao Wen Xin Zhao Taiyo Sogawa. Protocol-level vulnerability and attack Defense: Intrusion Detection/Prevention Our goal o Defeat Cisco IPS by manipulating.

SMB Header

Page 10: Xitao Wen Xin Zhao Taiyo Sogawa. Protocol-level vulnerability and attack Defense: Intrusion Detection/Prevention Our goal o Defeat Cisco IPS by manipulating.

SMB_COM_TRANSACTION2 Format

...

Page 11: Xitao Wen Xin Zhao Taiyo Sogawa. Protocol-level vulnerability and attack Defense: Intrusion Detection/Prevention Our goal o Defeat Cisco IPS by manipulating.

Buffer (SMB_COM_TRANSACTION2)

Page 12: Xitao Wen Xin Zhao Taiyo Sogawa. Protocol-level vulnerability and attack Defense: Intrusion Detection/Prevention Our goal o Defeat Cisco IPS by manipulating.

MySQL yaSSL SSL Hello Message Buffer Overflow

SSL – Secure Socket Layer◦ data is encrypted by the SSL code

◦ SSL handshake flow

◦ Symmetric key cryptography is used to encrypt and decrypt application data messages

Page 13: Xitao Wen Xin Zhao Taiyo Sogawa. Protocol-level vulnerability and attack Defense: Intrusion Detection/Prevention Our goal o Defeat Cisco IPS by manipulating.

HandShake Process

Page 14: Xitao Wen Xin Zhao Taiyo Sogawa. Protocol-level vulnerability and attack Defense: Intrusion Detection/Prevention Our goal o Defeat Cisco IPS by manipulating.

Attack Philosophy - Buffer Overflow

Page 15: Xitao Wen Xin Zhao Taiyo Sogawa. Protocol-level vulnerability and attack Defense: Intrusion Detection/Prevention Our goal o Defeat Cisco IPS by manipulating.

Header Struct.

Page 16: Xitao Wen Xin Zhao Taiyo Sogawa. Protocol-level vulnerability and attack Defense: Intrusion Detection/Prevention Our goal o Defeat Cisco IPS by manipulating.

Attacking Code => Sig. in IPS

\xcd\xa7\x21K\xe3U\xb3\x89\x3b\x00\xbeSH\xe9A\xac\x0e\x02\xd9\x93\xce\xda\xf2\xa2\xa3kMB\x60\xaa\xec\x02bb\x00Paaaaaaaa

Still cannot match…

Page 17: Xitao Wen Xin Zhao Taiyo Sogawa. Protocol-level vulnerability and attack Defense: Intrusion Detection/Prevention Our goal o Defeat Cisco IPS by manipulating.

Testing Environment Linux machine

◦ Samba 2.0 Installed◦ MySQL 5.0 Installed

Cisco IPS 4270

Linux Server

Cisco IPS Client

Page 18: Xitao Wen Xin Zhao Taiyo Sogawa. Protocol-level vulnerability and attack Defense: Intrusion Detection/Prevention Our goal o Defeat Cisco IPS by manipulating.

Challenges, Scope, and Goals

Challenges◦ Each vulnerability has to be studied and altered by hand

Scope◦ No automated process, so benchmarking not possible◦ Measurement of success: whether or not exploit is

detected

Goals◦ Study 4 vulnerabilities in-depth◦ Modify existing exploits to evade Cisco Signature◦ Launch 4 attacks, (hopefully) undetected by IPS