Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

7/30/2007
06:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Black Hat: How to Hack IPS Signatures

Errata Security says attackers are already reverse-engineering IPS vendors' zero-day signatures like TippingPoint's to wage attacks, bypass IPSs

Careful, that zero-day signature you just got from your IPS vendor could be used against you: Researchers from Errata Security at Black Hat USA this week will show how an attacker can easily reverse-engineer these zero-day filters that IPS (intrusion prevention system) vendors distribute, and then use them to leverage an attack.

Errata CEO Robert Graham and CTO David Maynor will demonstrate this using TippingPoint's signatures, but Graham says it's possible to reverse-engineer any IPS vendor's zero-day signatures. The company was also able to do the same with signatures from Cisco, Juniper Networks, and McAfee, he says, although they will only demonstrate their research on TippingPoint's IPS in its Thursday morning session, entitled "Simple Solutions to Complex Problems from the Lazy Hacker’s Handbook."

The researchers will show how these signatures basically give an attacker the ammunition to do damage using bugs that wouldn't have otherwise been known about yet. "The point is that if you're a black hat, it's easier to get a zero-day from the vendor than to develop your own," Graham says.

Graham says it's no surprise this could be accomplished, but it was a bit of a shock to him that attackers are already using it to their advantage. "The biggest surprise is people are already doing it. We found one [of these attacks] in the wild... We're pushing this issue to prove how easily it can be done."

TippingPoint late last month temporarily removed its Zero Day Initiative (ZDI) signature updates for its IPSs after getting the word from Errata on its research. The IPS vendor said it then added more secure storage and delivery to its software and recently released an update with those enhancements. And now its customers can choose to "opt in" to receive future ZDI filters.

But the cat was already out of the bag. Graham says Errata decided to test the ZDI signatures after finding at least two different hacking groups that wrote zero-day attacks using the signature TippingPoint released to patch the hole found in the infamous $10,000 Apple hacking contest at CanSec West earlier this year.

"One person we know who's done this is pissed off at us because he's been feeding off these free zero-days for a while now. Now he knows he's going to be cut off" with TippingPoint securing it, he says.

Errata used the well known IDA Pro reverse-engineering tool, and also wrote its own tools for decrypting TippingPoint's signatures. Graham says he won't be releasing the tools: "We want to demonstrate that it can be done... We don't want to make it easy for others to do this."

He argues that the trouble with these zero-day signatures is they are often used more for marketing purposes so an IPS vendors can show that they "got there" first, but this process instead invites trouble. "The value of a zero-day [signature] is if there is a threat. But if the signature is more for marketing purposes, it becomes more of a threat than the zero-day [vulnerability]."

TippingPoint's ZDI program has stirred controversy because it pays hackers for zero-day bugs and then issues signatures for them in TippingPoint's products. "It doesn't give TippingPoint any greater understanding for its own researchers, but it's buying content from others and encouraging black-hat activity," Graham says. "ZDI is just a publicity stunt."

TippingPoint, meanwhile, maintains that the ZDI program has merit. "We believe, and our customers agree, that providing zero-day filters in advance of vendor announcement of a vulnerability is serving a positive security purpose, in spite of the risk that some point out," says Terri Forslof, manager of security response for TippingPoint. "We appreciate Errata bringing to our attention concerns related to zero-day delivery and storage, and took them seriously enough to invest development time in [these] enhancements."

TippingPoint emphasized that this is not a vendor-specific issue. "Any product with zero-day filters can be reverse engineered. We just happen to have been highlighted as proof of concept," Forslof says. "We encourage other zero-day vendors to thoroughly evaluate their own policies and protective measures."

Errata's Graham says what made TippingPoint's signatures easy to decrypt is that they ship the decryption key hidden within the signature update -- "so all we needed to do was figure out where they hid it."

How can IPS vendors protect their signatures? Graham says Errata's Black Hat briefing session will also include some strategies for this, but the bottom line is vendors cannot protect themselves with software alone. Specialized hardware is necessary, and they can make reverse-engineering more difficult for attackers by compiling their signatures beforehand. "An important first step would be to compile the signatures at the factory before sending them to the box, rather than shipping the source of their signatures."

As for IPS customers, if you're a high-value target, Graham says, you need to be aware that the bad guys already have these signatures, and they could use them to hit you. It's simple for an attacker to bypass the IPS altogether: "All they have to do is change a few bytes in the patterns" of the exploit, and they can get right past the IPS.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Black Hat Inc.
  • Cisco Systems Inc. (Nasdaq: CSCO)
  • Errata Security
  • Juniper Networks Inc. (Nasdaq: JNPR)
  • McAfee Inc. (NYSE: MFE)
  • TippingPoint Technologies Inc.

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    DevSecOps: The Answer to the Cloud Security Skills Gap
    Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
    Attackers' Costs Increasing as Businesses Focus on Security
    Robert Lemos, Contributing Writer,  11/15/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-6852
    PUBLISHED: 2019-11-20
    A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
    CVE-2019-6853
    PUBLISHED: 2019-11-20
    A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.
    CVE-2013-2092
    PUBLISHED: 2019-11-20
    Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
    CVE-2013-2093
    PUBLISHED: 2019-11-20
    Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
    CVE-2015-3166
    PUBLISHED: 2019-11-20
    The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as d...