Introduction
• Protocol-level vulnerability and attack
• Defense: Intrusion Detection/Prevention
• Our goalo Defeat Cisco IPS by manipulating protocol-level
attack payload
But how?
We could know
• Cisco IPS signatureso which tells what can be detected
• Vulnerability descriptiono which tells how the vul is triggered
By comparing the two, we can understand the flaw of the signatures.
Related work
Academic work◦ A comparison of Intrusion Detection systems
(2001), by E. Biermann, etc.◦ Research in Intrusion-Detection Systems (1999):
A Survey, by S Axelsson. Commercial test on IPS
◦ NSS labs: test 1000 wild exploits on commercial IPS
No research on robustness and expressiveness on signatures.
Selecting Vulnerabilities
Chose vulnerabilities based on whether…◦ open source◦ current◦ an IPS Signature exists
Installed correct versions of software on Linux machine and tested if they ran correctly
Throw aways:PHP : horde CVE-2012-0209
Oracle: CVE-2010-3585 SquirrelMail: CVE-2003-0990
Decide to use Samba and Mysql SSL
Samba• Open source network file system
• Implementation of SMB (Server Message Block)/ CIFS (Common Internet File System)
• Allows transferring files between windows and linux machines
Cisco Signature for CVE-2003-0201
\xff\x53\x4d\x42\x32[\x00-\xff] +
\x00\x14 ((\x04[^\x00]) |
[\x05-\xff])
(Equivalent to *)
(Not x00)
(Or x05-xff)
(Specs for Cisco signature 3325/0)
MySQL yaSSL SSL Hello Message Buffer Overflow
SSL – Secure Socket Layer◦ data is encrypted by the SSL code
◦ SSL handshake flow
◦ Symmetric key cryptography is used to encrypt and decrypt application data messages
Attacking Code => Sig. in IPS
\xcd\xa7\x21K\xe3U\xb3\x89\x3b\x00\xbeSH\xe9A\xac\x0e\x02\xd9\x93\xce\xda\xf2\xa2\xa3kMB\x60\xaa\xec\x02bb\x00Paaaaaaaa
Still cannot match…
Testing Environment Linux machine
◦ Samba 2.0 Installed◦ MySQL 5.0 Installed
Cisco IPS 4270
Linux Server
Cisco IPS Client
Challenges, Scope, and Goals
Challenges◦ Each vulnerability has to be studied and altered by hand
Scope◦ No automated process, so benchmarking not possible◦ Measurement of success: whether or not exploit is
detected
Goals◦ Study 4 vulnerabilities in-depth◦ Modify existing exploits to evade Cisco Signature◦ Launch 4 attacks, (hopefully) undetected by IPS