pen-test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: HIPS Buffer Overflow Protection - Bypass

from [dfullerton] [Permanent Link][Original]
To: <pen-test@securityfocus.com>
Subject: Re: HIPS Buffer Overflow Protection - Bypass
From: <dfullerton@mantor.org>
Date: Wed, 15 Nov 2006 14:43:59 -0500
Delivered-to: sp-com-lists@consult.net
Delivered-to: pentest-list2@consult.net
Delivered-to: mailing list pen-test@securityfocus.com
Delivered-to: moderator for pen-test@securityfocus.com
List-help: <mailto:pen-test-help@securityfocus.com>
List-id: <pen-test.list-id.securityfocus.com>
List-post: <mailto:pen-test@securityfocus.com>
List-subscribe: <mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe: <mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list: contact pen-test-help@securityfocus.com; run by ezmlm
Reply-to: <dfullerton@mantor.org>
Resent-date: Wed, 15 Nov 2006 18:22:45 -0700 (MST)
Resent-from: pen-test-return-1078482981@securityfocus.com
Resent-message-id: <20061116012245.88F5F237DCC@outgoing3.securityfocus.com>
Resent-sender: listbounce@securityfocus.com
Sender: listbounce@securityfocus.com
User-agent: NOCC <http://nocc.sourceforge.net/> 
Bart,

Basically this means that this HIPS does not detect nor protect against this 
buffer overflow. Looks like the only thing detected by the IPS was the 
different Metasploit payload except the “adduser” one (the actual shellcode 
signature). Consequently, we can say that any custom payload would go 
undetected. Signature-based recognition is one part of the whole detection 
picture and looks like this IPS can’t do much in others portions of 
detection/prevention for this vulnerability such as stack protection (write and 
execution of stack memory segment) and heuristic.

Danny Fullerton
IT security Specialist
Mantor Organization

___________________________________
NOCC, http://nocc.sourceforge.net



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Mag Stripe reader for POS terminal pentest, Jason Ostrom
Next by Date:  Tutorial for brute forcing Web apps,, IRM
Previous by Thread:  HIPS Buffer Overflow Protection - Bypass, bart
Next by Thread:  Re: HIPS Buffer Overflow Protection - Bypass, Sanjay R
Indexes:  [Date] [Thread] [Top] [All Lists]