Analytics
7/30/2007
06:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Black Hat: How to Hack IPS Signatures

Errata Security says attackers are already reverse-engineering IPS vendors' zero-day signatures like TippingPoint's to wage attacks, bypass IPSs

Careful, that zero-day signature you just got from your IPS vendor could be used against you: Researchers from Errata Security at Black Hat USA this week will show how an attacker can easily reverse-engineer these zero-day filters that IPS (intrusion prevention system) vendors distribute, and then use them to leverage an attack.

Errata CEO Robert Graham and CTO David Maynor will demonstrate this using TippingPoint's signatures, but Graham says it's possible to reverse-engineer any IPS vendor's zero-day signatures. The company was also able to do the same with signatures from Cisco, Juniper Networks, and McAfee, he says, although they will only demonstrate their research on TippingPoint's IPS in its Thursday morning session, entitled "Simple Solutions to Complex Problems from the Lazy Hacker’s Handbook."

The researchers will show how these signatures basically give an attacker the ammunition to do damage using bugs that wouldn't have otherwise been known about yet. "The point is that if you're a black hat, it's easier to get a zero-day from the vendor than to develop your own," Graham says.

Graham says it's no surprise this could be accomplished, but it was a bit of a shock to him that attackers are already using it to their advantage. "The biggest surprise is people are already doing it. We found one [of these attacks] in the wild... We're pushing this issue to prove how easily it can be done."

TippingPoint late last month temporarily removed its Zero Day Initiative (ZDI) signature updates for its IPSs after getting the word from Errata on its research. The IPS vendor said it then added more secure storage and delivery to its software and recently released an update with those enhancements. And now its customers can choose to "opt in" to receive future ZDI filters.

But the cat was already out of the bag. Graham says Errata decided to test the ZDI signatures after finding at least two different hacking groups that wrote zero-day attacks using the signature TippingPoint released to patch the hole found in the infamous $10,000 Apple hacking contest at CanSec West earlier this year.

"One person we know who's done this is pissed off at us because he's been feeding off these free zero-days for a while now. Now he knows he's going to be cut off" with TippingPoint securing it, he says.

Errata used the well known IDA Pro reverse-engineering tool, and also wrote its own tools for decrypting TippingPoint's signatures. Graham says he won't be releasing the tools: "We want to demonstrate that it can be done... We don't want to make it easy for others to do this."

He argues that the trouble with these zero-day signatures is they are often used more for marketing purposes so an IPS vendors can show that they "got there" first, but this process instead invites trouble. "The value of a zero-day [signature] is if there is a threat. But if the signature is more for marketing purposes, it becomes more of a threat than the zero-day [vulnerability]."

TippingPoint's ZDI program has stirred controversy because it pays hackers for zero-day bugs and then issues signatures for them in TippingPoint's products. "It doesn't give TippingPoint any greater understanding for its own researchers, but it's buying content from others and encouraging black-hat activity," Graham says. "ZDI is just a publicity stunt."

TippingPoint, meanwhile, maintains that the ZDI program has merit. "We believe, and our customers agree, that providing zero-day filters in advance of vendor announcement of a vulnerability is serving a positive security purpose, in spite of the risk that some point out," says Terri Forslof, manager of security response for TippingPoint. "We appreciate Errata bringing to our attention concerns related to zero-day delivery and storage, and took them seriously enough to invest development time in [these] enhancements."

TippingPoint emphasized that this is not a vendor-specific issue. "Any product with zero-day filters can be reverse engineered. We just happen to have been highlighted as proof of concept," Forslof says. "We encourage other zero-day vendors to thoroughly evaluate their own policies and protective measures."

Errata's Graham says what made TippingPoint's signatures easy to decrypt is that they ship the decryption key hidden within the signature update -- "so all we needed to do was figure out where they hid it."

How can IPS vendors protect their signatures? Graham says Errata's Black Hat briefing session will also include some strategies for this, but the bottom line is vendors cannot protect themselves with software alone. Specialized hardware is necessary, and they can make reverse-engineering more difficult for attackers by compiling their signatures beforehand. "An important first step would be to compile the signatures at the factory before sending them to the box, rather than shipping the source of their signatures."

As for IPS customers, if you're a high-value target, Graham says, you need to be aware that the bad guys already have these signatures, and they could use them to hit you. It's simple for an attacker to bypass the IPS altogether: "All they have to do is change a few bytes in the patterns" of the exploit, and they can get right past the IPS.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Black Hat Inc.
  • Cisco Systems Inc. (Nasdaq: CSCO)
  • Errata Security
  • Juniper Networks Inc. (Nasdaq: JNPR)
  • McAfee Inc. (NYSE: MFE)
  • TippingPoint Technologies Inc.

    Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Register for Dark Reading Newsletters
    White Papers
    Cartoon
    Current Issue
    Dark Reading, September 16, 2014
    Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
    Flash Poll
    Threat Intel Today
    Threat Intel Today
    The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
    Video
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2014-0560
    Published: 2014-09-17
    Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors.

    CVE-2014-0561
    Published: 2014-09-17
    Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0567.

    CVE-2014-0562
    Published: 2014-09-17
    Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on OS X allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)."

    CVE-2014-0563
    Published: 2014-09-17
    Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to cause a denial of service (memory corruption) via unspecified vectors.

    CVE-2014-0565
    Published: 2014-09-17
    Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0566.

    Best of the Web
    Dark Reading Radio
    Archived Dark Reading Radio
    CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant