HIPS Buffer Overflow Protection - Bypass

From: bart@packetjunkie.com
Date: Tue Nov 14 2006 - 17:20:22 EST


List,
  
I've recently been testing some HIPS products to guage their
effectiveness against different exploits and stumbled on something a
little strange yesterday. Everything I launched against one of the
products (to remain anonymous) was picked up either by the signature
based prevention or its generic buffer overflow protection. I was
almost ready to hang it up and then I decided to change up some of the
payloads in the attacks to see if that would make a difference.
  
I launched the ms06-040 exploit against an unpatched Win2K Server SP4
system using Metasploit 3.0. Every payload I tried was caught, EXCEPT
for the windows/adduser payload. After runnning the exploit with this
payload, an account was successfully created on the system with
administrator privileges. It worked like a charm.
  
My question to all of you is basically, why would this product detect
and prevent all of the other payloads used with this exploit except for
this one? Would it be because of the size (adduser payload is smaller
than say the bind_tcp payload) or something else? Could it be that
since the product did not have a signature for that specific exploit,
and it relied on the buffer overflow protection piece, the exploit ran,
and when it came time for the shellcode to run, it did not detect it as
"foreign" or not authorized?
  
I don't want to have to say which product this was, but I will say that
I will be trying this exact vector on the next few I try and will post
an update if they too allow this to happen. It just confuses me as to
why a certain shellcode is allowed to execute and others would not be.
 
  
Any help would be great. I'm just trying to satisfy my own curiosity
here and see if maybe there's something a little deeper that I may have
stumbled on. Thanks.
  
- Bart

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:19 EDT