Testing For Vulnerabilities Without Triggering Ips Signatures presented at SyScan 2010

by Anthony Bettini,

Tags: Security

Summary : While itu2019s true that many exploits simply blindly send payload waiting for a shell,
many exploits written today, contain pre-checks to determine whether a host is vulnerable
or not, and if so, then the payload is sent. This scenario is often mirrored in malware,
worms, and even vulnerability assessment checks. This paper and talk will focus on educating
attendees, with detailed examples, on how to detect whether vulnerabilities are present,
without triggering IPS signatures. It is important to note however, this is not a talk on
fragmentation or other ways to exploit the vulnerability while evading an IPS. This is a talk
on crafting the pre-checks in such a way that the vulnerability is never triggered or disclosed,
thus automatically bypassing IPS systems. This is particularly useful for security vendors to
ensure stability and cross-product compatibility, and this is useful from an attackeru2019s perspective,
especially in the case of non-public vulnerabilities, where an attacker may want to build up a
list of vulnerable targets while at the same time not disclosing what vulnerability is actually
being tested for.u96d6u7136u8aaau771fu7684u5f88u591au653bu64cau55aeu7d14u4e14u76f2u76eeu7684u50b3u905epayloadu75c5u6bd2u4e26u7b49u5f85u4e00u500bshelluff0cu5f88u591au8fd1u65e5u88abu64b0u5bebu7684u653bu64cau7a0bu5f0fu64c1u6709u4e8bu5148u8fa8u5225u4e3bu6a5fu5f31u9edeu7684u80fdu529buff0cu5982u679cu4e3bu6a5fu88abu767cu73feu6709u5f31u9edeuff0cpayloadu75c5u6bd2u5c31u6703u88abu50b3u9001u3002u9019u6a23u7684u60c5u6cc1u901au5e38u53efu4ee5u5728u60e1u610fu8edfu9ad4u3001u8815u87f2u75c5u6bd2uff0cu751au81f3u5728u5f31u9edeu6aa2u9a57u4e2du770bu5230u3002u9019u4efdu5831u544au548cu8a0eu8ad6u7684u91cdu9edeu662fu900fu904eu8a73u7d30u7684u6848u4f8buff0cu544au8a34u8207u6703u8005u8981u5982u4f55u5728u4e0du555fu52d5IPS u7279u5fb5u5075u6e2cu7684u60c5u6cc1u4e0bu5075u6e2cu5230u73feu6709u7684u5f31u9edeu3002u4f46u8981u6ce8u610fu7684u5730u65b9u662fuff0cu9019u6b21u7684u8a0eu8ad6u4e0du662fu95dcu65bcu5206u7247u6216u5176u5b83u5229u7528u5f31u9edeu4fb5u5165IPS u7684u65b9u6cd5u3002u9019u6b21u7684u8a0eu8ad6u662fu95dcu65bcu5851u9020u4e00u500bu5f31u9edeu4e0du6703u88abu555fu52d5u6216u66b4u9732u7684u4e8bu524du5075u6e2cuff0cu9032u800cu81eau52d5u898fu907fIPS u7cfbu7d71u3002u9019u5c0du63d0u4f9bu5b89u5168u6027u7522u54c1u7684u5ee0u5546u7279u5225u6709u7528uff0cu5b83u53efu4ee5u78bau4fddu7a69u5b9au6027u548cu4e0du540cu7522u54c1u7684u76f8u5bb9u6027u3002u5f9eu4e00u500bu653bu64cau8005u7684u89d2u5ea6u4f86u770buff0cu7279u5225u662fu5728u9762u5c0du975eu516cu958bu7684u5f31u9edeuff0cu7576u4e00u4f4du653bu64cau8005u53efu80fdu9700u8981u5efau7acbu4e00u500bu5f31u9edeu76eeu6a19u7684u6e05u55aeu537bu53c8u4e0du60f3u628au5075u6e2cu7684u5f31u9edeu66b4u9732u51fau4f86u7684u6642u5019uff0cu9019u4e5fu662fu6709u7528u7684u3002