Attack Transformation to

Evade Intrusion Detection

Xitao WenXin Zhao

Taiyo Sogawa

Introduction

• Protocol-level vulnerability and attack

• Defense: Intrusion Detection/Prevention

• Our goalo Defeat Cisco IPS by manipulating protocol-level

attack payload

But how?

We could know

• Cisco IPS signatureso which tells what can be detected

• Vulnerability descriptiono which tells how the vul is triggered

By comparing the two, we can understand the flaw of the signatures.

Related work

Academic work◦ A comparison of Intrusion Detection systems

(2001), by E. Biermann, etc.◦ Research in Intrusion-Detection Systems (1999):

A Survey, by S Axelsson. Commercial test on IPS

◦ NSS labs: test 1000 wild exploits on commercial IPS

No research on robustness and expressiveness on signatures.

Selecting Vulnerabilities

Chose vulnerabilities based on whether…◦ open source◦ current◦ an IPS Signature exists

Installed correct versions of software on Linux machine and tested if they ran correctly

Throw aways:PHP : horde CVE-2012-0209

Oracle: CVE-2010-3585 SquirrelMail: CVE-2003-0990

Decide to use Samba and Mysql SSL

Samba• Open source network file system

• Implementation of SMB (Server Message Block)/ CIFS (Common Internet File System)

• Allows transferring files between windows and linux machines

Samba trans2.c Vulnerability

Cisco Signature for CVE-2003-0201

\xff\x53\x4d\x42\x32[\x00-\xff] +

\x00\x14 ((\x04[^\x00]) |

[\x05-\xff])

(Equivalent to *)

(Not x00)

(Or x05-xff)

(Specs for Cisco signature 3325/0)

SMB Header

SMB_COM_TRANSACTION2 Format

...

Buffer (SMB_COM_TRANSACTION2)

MySQL yaSSL SSL Hello Message Buffer Overflow

SSL – Secure Socket Layer◦ data is encrypted by the SSL code

◦ SSL handshake flow

◦ Symmetric key cryptography is used to encrypt and decrypt application data messages

HandShake Process

Attack Philosophy - Buffer Overflow

Header Struct.

Attacking Code => Sig. in IPS

\xcd\xa7\x21K\xe3U\xb3\x89\x3b\x00\xbeSH\xe9A\xac\x0e\x02\xd9\x93\xce\xda\xf2\xa2\xa3kMB\x60\xaa\xec\x02bb\x00Paaaaaaaa

Still cannot match…

Testing Environment Linux machine

◦ Samba 2.0 Installed◦ MySQL 5.0 Installed

Cisco IPS 4270

Linux Server

Cisco IPS Client

Challenges, Scope, and Goals

Challenges◦ Each vulnerability has to be studied and altered by hand

Scope◦ No automated process, so benchmarking not possible◦ Measurement of success: whether or not exploit is

detected

Goals◦ Study 4 vulnerabilities in-depth◦ Modify existing exploits to evade Cisco Signature◦ Launch 4 attacks, (hopefully) undetected by IPS