Analytics
7/30/2007
06:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Black Hat: How to Hack IPS Signatures

Errata Security says attackers are already reverse-engineering IPS vendors' zero-day signatures like TippingPoint's to wage attacks, bypass IPSs

Careful, that zero-day signature you just got from your IPS vendor could be used against you: Researchers from Errata Security at Black Hat USA this week will show how an attacker can easily reverse-engineer these zero-day filters that IPS (intrusion prevention system) vendors distribute, and then use them to leverage an attack.

Errata CEO Robert Graham and CTO David Maynor will demonstrate this using TippingPoint's signatures, but Graham says it's possible to reverse-engineer any IPS vendor's zero-day signatures. The company was also able to do the same with signatures from Cisco, Juniper Networks, and McAfee, he says, although they will only demonstrate their research on TippingPoint's IPS in its Thursday morning session, entitled "Simple Solutions to Complex Problems from the Lazy Hacker’s Handbook."

The researchers will show how these signatures basically give an attacker the ammunition to do damage using bugs that wouldn't have otherwise been known about yet. "The point is that if you're a black hat, it's easier to get a zero-day from the vendor than to develop your own," Graham says.

Graham says it's no surprise this could be accomplished, but it was a bit of a shock to him that attackers are already using it to their advantage. "The biggest surprise is people are already doing it. We found one [of these attacks] in the wild... We're pushing this issue to prove how easily it can be done."

TippingPoint late last month temporarily removed its Zero Day Initiative (ZDI) signature updates for its IPSs after getting the word from Errata on its research. The IPS vendor said it then added more secure storage and delivery to its software and recently released an update with those enhancements. And now its customers can choose to "opt in" to receive future ZDI filters.

But the cat was already out of the bag. Graham says Errata decided to test the ZDI signatures after finding at least two different hacking groups that wrote zero-day attacks using the signature TippingPoint released to patch the hole found in the infamous $10,000 Apple hacking contest at CanSec West earlier this year.

"One person we know who's done this is pissed off at us because he's been feeding off these free zero-days for a while now. Now he knows he's going to be cut off" with TippingPoint securing it, he says.

Errata used the well known IDA Pro reverse-engineering tool, and also wrote its own tools for decrypting TippingPoint's signatures. Graham says he won't be releasing the tools: "We want to demonstrate that it can be done... We don't want to make it easy for others to do this."

He argues that the trouble with these zero-day signatures is they are often used more for marketing purposes so an IPS vendors can show that they "got there" first, but this process instead invites trouble. "The value of a zero-day [signature] is if there is a threat. But if the signature is more for marketing purposes, it becomes more of a threat than the zero-day [vulnerability]."

TippingPoint's ZDI program has stirred controversy because it pays hackers for zero-day bugs and then issues signatures for them in TippingPoint's products. "It doesn't give TippingPoint any greater understanding for its own researchers, but it's buying content from others and encouraging black-hat activity," Graham says. "ZDI is just a publicity stunt."

TippingPoint, meanwhile, maintains that the ZDI program has merit. "We believe, and our customers agree, that providing zero-day filters in advance of vendor announcement of a vulnerability is serving a positive security purpose, in spite of the risk that some point out," says Terri Forslof, manager of security response for TippingPoint. "We appreciate Errata bringing to our attention concerns related to zero-day delivery and storage, and took them seriously enough to invest development time in [these] enhancements."

TippingPoint emphasized that this is not a vendor-specific issue. "Any product with zero-day filters can be reverse engineered. We just happen to have been highlighted as proof of concept," Forslof says. "We encourage other zero-day vendors to thoroughly evaluate their own policies and protective measures."

Errata's Graham says what made TippingPoint's signatures easy to decrypt is that they ship the decryption key hidden within the signature update -- "so all we needed to do was figure out where they hid it."

How can IPS vendors protect their signatures? Graham says Errata's Black Hat briefing session will also include some strategies for this, but the bottom line is vendors cannot protect themselves with software alone. Specialized hardware is necessary, and they can make reverse-engineering more difficult for attackers by compiling their signatures beforehand. "An important first step would be to compile the signatures at the factory before sending them to the box, rather than shipping the source of their signatures."

As for IPS customers, if you're a high-value target, Graham says, you need to be aware that the bad guys already have these signatures, and they could use them to hit you. It's simple for an attacker to bypass the IPS altogether: "All they have to do is change a few bytes in the patterns" of the exploit, and they can get right past the IPS.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Black Hat Inc.
  • Cisco Systems Inc. (Nasdaq: CSCO)
  • Errata Security
  • Juniper Networks Inc. (Nasdaq: JNPR)
  • McAfee Inc. (NYSE: MFE)
  • TippingPoint Technologies Inc.

    Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Register for Dark Reading Newsletters
    Partner Perspectives
    What's This?
    In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

    As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
    Featured Writers
    White Papers
    Cartoon
    Current Issue
    Dark Reading's October Tech Digest
    Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
    Flash Poll
    Threat Intel Today
    Threat Intel Today
    The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
    Video
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2014-7298
    Published: 2014-10-24
    adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

    CVE-2014-8346
    Published: 2014-10-24
    The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

    CVE-2014-0619
    Published: 2014-10-23
    Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

    CVE-2014-2230
    Published: 2014-10-23
    Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

    CVE-2014-7281
    Published: 2014-10-23
    Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

    Best of the Web
    Dark Reading Radio
    Archived Dark Reading Radio
    Follow Dark Reading editors into the field as they talk with noted experts from the security world.