April 19, 2002 9:45 AM PDT
New tool helps hackers evade detection
The tool, called Fragroute, performs several techniques to fool the signature-based recognition systems used by many intrusion-detection systems and firewalls. Many of these duping techniques were outlined in a research paper published four years ago.
Arbor Networks security researcher Dug Song posted the tool to his Web site this week. Arbor is a network protection company.
"(Some) firewalls and intrusion prevention or other application-layer content-filtering devices have similar vulnerabilities that may be tested with Fragroute," Song wrote in a posting to security mailing list Bugtraq on Thursday.
The new tool tips the arms race between those who look to break in to networks and those who defend them toward the attackers, at least for the moment. Any firewall or intrusion-detection system that fails the Fragroute test is vulnerable attack from vandals using the program.
Song was traveling and could not be reached for comment, an Arbor representative said, and his company would not comment on the issue.
The Fragroute program is a dual-use program: It illuminates weaknesses in a network's security--information that can aid a system administrator in protecting the network or helping a hacker attack the network. The program exploits several ways of inserting specific data into a sequence of information to fool detection programs. The methods were highlighted in a January 1998 paper written by Thomas Ptacek and Timothy Newsham of security specialist Secure Networks, a company later bought by Network Associates.
The program exploits intrusion-detection systems, which often check the correctness of incoming data less stringently than the server software that is typically targeted by hackers. In one version of such "insertion" attacks, a command sent to a server could be disguised by adding extraneous, illegitimate data. The targeted server software will throw away any bad data, leaving itself with a valid, but malicious, command.
However, many intrusion-detection systems don't remove the corrupted data, so the hostile command remains disguised from the system's recognition functions.
For example, an intrusion-detection system that watches out for a recent buffer overflow might recognize the attack by the text "http:///" appearing in the incoming data. However, if an attacker sends "http://somegarbagehere/" and knows that the "somegarbagehere" portion will be thrown out by the target computer, then the attack still works. Moreover, if the intrusion-detection system doesn't remove the same text portion as the server, it won't recognize the threat.
Marti Roesch, president of security appliance seller SourceFire and the creator of the popular open-source intrusion-detection system Snort, said that the majority of the problems exploited by Fragroute have been fixed, and he plans to fix the rest by next week.
"Dug contacted me about this stuff several months ago, and I fixed it," Roesch said.
While he hasn't programmed a defense to every stealth attack that Fragroute has in its repertoire, doing so won't be hard, he added.
"Many of these take 10 minutes of coding, max, to fix," he said. "It just wasn't an issue before."
While many of the attacks won't work against Snort if it's configured properly, Roesch said that the default configuration doesn't detect the camouflaged data, because such settings produce a far greater number of false alarms.
Some security aficionados posting to the Bugtraq list concentrated on Snort as a program vulnerable to the Fragroute program, but Song waved off the implied criticism on the open-source program in his posting.
"Snort, I'd wager, does much better than most," he wrote, adding that many other proprietary programs are also vulnerable.
One commercial software seller, network protection firm Internet Security Systems, claimed that its product, RealSecure, wasn't affected.
"We initially fixed the fragmentation issues when we saw the paper quite some time ago," said Dan Ingevaldson, team lead for the company's security research and development group.
His group tested Song's tool earlier this week, and they were still able to detect attacks, Ingevaldson said.