<div>Aviv,</div> <div><BR>> There are gateway solutions out there which implement sort-of lexical<BR>> parsers (e.g. www.esafe.com, www.webwasher.com, <A href="http://www.finjan.com">www.finjan.com</A>).</div> <div> </div> <div>Isn't it wonderful that we got these wonderful technical solutions? But without even arguing the technical capabilities of the above-mentioned products, I believe there's a limit as to how far we can push the envelope, i.e. I can't afford to buy "specialized" security tools/devices for "speclialized" attacks unless my company relies heavily on web/content services.<BR><BR>> Also, there is no way to "gather the maximum number of exploit variants as<BR>> you can". Because, by using server side scripting to randomize the exploit's<BR>> content, it's unfeasible to collect all possible variants.<BR></div> <div>Agreed. I forgot to mention that I have worked for some network-style IPS companies. These mails stem out
from my experience and frustration in tackling the kind of vulnerabilities we are discussing here. We, as a vendor, would hedge our bet on the fact that crackers won't use randomied exploit generators (how many WMF mass-exploitation scenarios used gzip+chunked evasion?). Let me confess, as an engineer I always felt as being one-step behind the hackers, but sometimes you have to forget the existential angst and just deliver. </div> <div> </div> <div>> I really would like to know the source of information which tells you that<BR>> AV solutions provide almost 99% of protection against in-the-wild<BR>> exploits... "Few sources" doesn't necessarily mean few possible variants.<BR></div> <div>I wasn't talking about AV solutions. My focus was on one part of the solution, IDS/IPS. In our company, we established a information-sharing network with other security companies. So the real-time exploit-facing signatures were then subjected to live traffic,
honeypots and countless variants; They seemed to work out pretty well. </div> <div><BR>Thanks,</div> <div>Pukhraj<BR><BR><B><I>Aviv Raff <avivra@gmail.com></I></B> wrote:</div> <BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid"> <div>Hi, <BR><BR>There are gateway solutions out there which implement sort-of lexical<BR>parsers (e.g. www.esafe.com, www.webwasher.com, <A href="http://www.finjan.com">www.finjan.com</A>).</div> <div><BR><BR>Also, there is no way to "gather the maximum number of exploit variants as<BR>you can". Because, by using server side scripting to randomize the exploit's<BR>content, it's unfeasible to collect all possible variants.<BR><BR>I really would like to know the source of information which tells you that<BR>AV solutions provide almost 99% of protection against in-the-wild<BR>exploits... "Few sources" doesn't necessarily mean few possible variants.<BR><BR>--
Aviv.<BR><BR>-----Original Message-----<BR>From: Pukhraj Singh [mailto:pukhraj.singh@gmail.com] <BR>Sent: Tuesday, September 26, 2006 10:40 PM<BR>To: avivra; EArsal@techdata.de<BR>Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com<BR>Subject: Re: VML Exploit vs. AV/IPS/IDS signatures<BR><BR>Avivra,<BR><BR>I acknowledge the research you and Ertunga<BR>(http://www.immunitysec.com/pipermail/dailydave/2006-September/003557.html)<BR>have put up.<BR><BR>Protection against client-side scripting vulnerabilities is the<BR>Achilles' Heel for all network-style IDS/IPS vendors. These languages<BR>offer too much flexibility over the syntax and semantics, thus<BR>becoming the pain-point for the underlying architecture for<BR>network-style IDS/IPS which are better accustomed to analyze<BR>structured data (like protocols and even file-formats). There's is<BR>simply too much you can mutate here and you can't expect vendors to<BR>develop on-the-fly javascript parsers! Thus the
protection they<BR>develop is simply a business objective, as they can loose a lot<BR>mileage here if they don't cover vulnerabilities like this one. They<BR>had the same stance for file-format vulnerabilities till they were<BR>forced to add decoding routines for them by the sheer number of new<BR>file-based vulnerabilities which were coming out. AV and local-style<BR>protection is the best defense mechanism here (but even they failed in<BR>this case!).<BR><BR>However, the other way out is to gather the maximum number of exploit<BR>variants as you can (from mutual cooperation between security<BR>companies) and provide real-time exploit-facing protection against<BR>them. This is what they generally do and it provides almost 99%<BR>protection (might surprise many) because most out-in-the-wild exploits<BR>are derived from few sources only.<BR><BR>Thanks,<BR>Pukhraj<BR><BR>On 9/26/06, avivra <AVIVRA@GMAIL.COM>wrote:<BR>> The code for exploiting the unpatched VML
vulnerability is in-the-wild<BR>> for a week or so. This was enough time for Anti Virus, IPS/IDS and<BR>> other reactive security products' vendors to create a signature for<BR>> the in-the-wild exploit.<BR>> So, I put my hand on one of the in-the-wild and tested it using Virus<BR>> Total. The results were not so good. Only 10 of 27 Anti-Viruses<BR>> detected the exploit on the malicious web page.<BR>> Are those signatures generic enough? I've decided to check it out.<BR>><BR>> I've used 5 simple methods, trying to evade being detected by the<BR>signature:<BR>> 1) I've replaced the location where EIP should jump when the exploit<BR>> is activated, with a different valid address.<BR>> 2) I've replaced the VML element from "rect" with one of the other VML<BR>elements.<BR>> 3) I've replaced the payload with a different valid shell code.<BR>> 4) I've replaced the namespace key with a random key.<BR>> 5) A combination of all of the
above.<BR>><BR>> Please note that when I changed the code using any of the methods, the<BR>> exploit still worked.<BR>><BR>> More info:<BR>http://aviv.raffon.net/2006/09/25/VMLExploitVsAVIPSIDSSignatures.aspx<BR>><BR>> -- Aviv.<BR>><BR><BR>_______________________________________________<BR>Full-Disclosure - We believe in it.<BR>Charter: http://lists.grok.org.uk/full-disclosure-charter.html<BR>Hosted and sponsored by Secunia - http://secunia.com/<BR></div></BLOCKQUOTE><BR><p> 
<hr size=1>Do you Yahoo!?<br> Next-gen email? Have it all with the <a href="http://us.rd.yahoo.com/evt=40788/*http://advision.webevents.yahoo.com/handraisers"> all-new Yahoo! Mail.</a>