Slashdot Mirror
How To Evade URL Filters With (Not-So) Fancy Math
Trailrunner7 writes "In their constant quest to find new and interesting ways to abuse the Internet, attackers recently have begun using an old technique to obfuscate URLs and IP addresses to bypass URL filters and direct users to malicious sites. The technique takes advantage of the fact that modern browsers will allow users to specify IP addresses in formats other than base 10. So a typical IP address that looks something like this — 192.10.10.1 — can also be written in base 8, hexadecimal or a handful of other formats, and the browser will recognize it and take the user to the specified site. What is interesting though is that due to the relative obscurity of using such methods to denote an IP or URL, it is quite feasible that existing security products do not correctly identify the URLs as valid or flag them as malicious when they point to existing known bad websites."
The linked article is next to worthless. The real details are in this blog post.
too bad this won't pass any Host: information in the HTTP header, hence anything based on a virtual host will be unreachable through pure IP address. You will have to perform a bit more hacking to do that, and it won't defeat deep packet inspection filters.
-- "If A equals success, then the formula is A=X+Y+Z. X is work. Y is play. Z is keep your mouth shut." - Einstein
102 105 114 115 116 112 111 115 116 33
Hrm... wonder how much the owner of the ip at 0xdeadbeef wants for it... :D
I actually preferred using a url with the 10 digit number that was my base 10 IP address in E-Mails as it got people's attention in an otherwise bland sea of domains. This has been a feature of libc as long as I can remember (in Linux you should be able to ping an IP address in some other number base) but Firefox actually makes an effort to disallow using IP addresses with this notation. So if they're using Firefox, it won't work so well.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
...a snort inline installation.
Never follow a link that isn't a DNS name. Someone should write an addon that disables IP addresses for links, since they are almost always pointed at evil sites anyways. The only time I enter an IP is to connect to one machine on the LAN.
It doesn't matter which way you enter the address into your browser, it still resolves to the same IP. If that IP is blocked, you won't get through even if you use this method.
FTFA:
In other words, no testing has been done at all. What is this poorly-thought-out bit of speculation doing on the front page of Slashdot?
"A week in the lab saves an hour in the library"
All the alternate methods of specifying IP addresses for URLs work in Chrome. When you mouse over the link, you see it with the traditional decimal IP address, so it's not as obfuscated as it could be. Similarly when you reach the site, the URL displayed is in the traditional format.
Addresses like http://0xdeadbeef/ and http://0xdeadd00d/ are assigned to a Chinese telecom company (they have all of 0xdead....).
You can't just do things like this based on the syntax of the input, but rather on the semantics. In this case, to properly block the URLs, you need to parse them and transform them into an abstract representation of what they mean, e.g. a struct that encodes the protocol, host, port, document and query strings, and then examine the parse result to check if it matches the rule.
The IT industry just systematically fails this over and over, because of people's bad habit of doing shit with regular expressions instead of parsing and semantic analysis. See, for example, the gazillion ways that people get around cross-site scripting filters; or if you want to see it from the other angle (generation instead of parsing), see SQL injection.
Are you adequate?
So a URL isn't filtered. What happens then? Windows gets reinstalled. Not automatically, of course. Perhaps techies get another job. Or someone's pc gets a job, for some botnet. Makes internet life eventful, I guess.
Build your own energy sources from scratch. http://otherpower.com/
The problem with this approach is that the requested URL doesn't provide a hostname, just the IP address. As IP addresses are in short supply, it has been an extremely common practice for years to assign multiple websites to a single IP address, otherwise known as name-based virtual hosting. This is common even for large companies. When you specify the URL with an IP address, the browser doesn't provide an appropriate Host: HTTP header, so any web server set up this way won't know which of the many websites it hosts should be returned. This means that anybody browsing the web with this technique will find that some websites work and some won't, seemingly at random to them.
Bogtha Bogtha Bogtha
Who thought it was a good idea to allow IP addresses to be entered in so many different formats? Who are you to decide that 0x01 is not a domain name? This is a feature which is hardly ever going to be used legitimately, but the code must be written and tested. KISS. Keep it simple, stupid.
Here is some text to get past the filter.
I'm glad Slashdot is here to tell us about these things, or else I might not have found this important security bulletin.
You can have a hundred dns records point to the same "hacked" site. So wha'ts the point of this.
If its broken, its broken. This analysis is just adding complexity and air-time to no purpose.
The basic fact is that we have incredibly complicated software tools (browsers) that are designed
to feed on an arbitrarily large set of untrusted, malicious, infected data. The browsers are in fact
-designed- to go behind your back to download data from servers you never queried and did
not know existed. They can and will do this -randomly- or at the discretion of people who want
to harm you.
The software browsers on most of the machines in the world operate with the ability to modify
any file in the host computer. Even if they are prevented from changing some files, it only
takes certain files to make the entire system untrustworthy.
Its broken. I love the web. But its broken by design.
Where do Hurley's numbers from Lost go?
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
(Must try the new extended host name pattern matching)
HTTP/1.0: /index.html HTTP/1.0
/index.html HTTP/1.1
/index.html HTTP/1.1
GET
HTTP/1.1:
GET
Host: example.org
If the site relies on HTTP/1.1, as is the case when multiple domains are hosted from the same IP address, then it's not possible to access the site by IP alone. OTOH, any filter worth its salt would do a reverse DNS lookup on an unknown IP, which would reveal the single domain name for an HTTP 1.0 server, rendering this technique mostly useless for HTTP packet filtering.
Tricking HTTP proxy servers might work, if they allow CONNECT on port 80:
CONNECT 2130706433:80 HTTP/1.1
GET
Host: example.geek
We must have had 20 different ways to get to goatse.cx.
This isn't really new, and it's not just browsers. Most programs will take anything that can be interpreted by strtoul(3) as an IP address.
# ping 0xdeadbeef
PING 0xdeadbeef (222.173.190.239) 56(84) bytes of data.
From 219.146.113.214 icmp_seq=1 Time to live exceeded
1. Pick a web translation service from a trusted url: i.e. http://babelfish.yahoo.com/
2. Translate a web page (which is bloked) from one random language to another (i.e. greek to french)
3. Most schools wouldn't block yahoo. Translation engine skips over non comprehended words. Enjoy.
'security products'? A list of known malicious websites is no security. If that known malicious website can do something harmful, then any other site can do that, too.
I used this method to defeat school filters 10 or 11 years ago after I read about it in an article on Slashdot. Is it 1999 again?
http://www.packetstormsecurity.org/mag/keen/kv6.txt
Trying to be a little bit useful and not slam on the OP. My company does web based educational software. When we first released product, we found that schools would filter out URLs containing strings which suggested games or fun. Also, Windows Vista clients would block outgoing URL requests which contained 2 or more substrings which happened to be the same as certain rude words.
We found that running rot13 over URLs before they were transmitted between client and server (or vice versa) circumvented these very simple minded filters.
We used to use this back when I was in highschool to get past the crappy filtering software. This is _very_ old news. Hell I think I have a book from about a decade ago talking about this. Why is this on slashdot?
Not all IP address filtering is done by IP firewalls. These days there are many applications, most notably web browsers, that consult online databases of known or suspected malicious hosts in order to protect users from malicious hosts. I know for a fact that Firefox and Safari do this--if you try to go to a known suspected malware site, the browser pops up a warning page instead of the page you asked for. Google also do it for their search results--suspected malware site results don't link to the site in question, they link to a warning page. Many websites also have anti-XSS submission filters that perform textual matching against known "bad" addresses, to protect their users from attacks.
Apparently, many such programs are not parsing the textual IP addresses into a canonical form, and are therefore vulnerable to this sort of obfuscation. So the typical result here is that a comment submission system will fail to block a comment that has some XSS in it, and the users' browsers, running on a network whose firewally doesn't filter the IP address in question, will then fetch a malicious script from a known malware site.
Are you adequate?
To a more interesting show?
XML causes global warming.
Well, this is quite interesting, but using FF 3.6.2 PPC none of the example links worked. They either redirected to whatevernumber.com which obviously doesn't work, or FF hangs trying to connect (with the octal IP). Neat, but somewhere in my setup or my DNS, these aren't working - patched already, or just better interpretation by 3.6.2?
you just make one of your virtual host's names the same as the ip address
so when a request comes in as a naked ip address, it always gets routed to the proper virtual host, every single time
just think of the naked ip address as yet another virtual host with its own name (a naked ip)
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Yes. and the way to prevent every corporation from fixing this is it post the technique on Slashdot.
Security by obscurity, people!
Even if you win the rat race, you are still a rat
The author apparently does not realize this, but you can also partly concatenate octets and mix various notations:
http://0x4a.8196963/
And yes, congratulations on being cutting edge: this thing is so old and well-known that it's even explicitly covered in RFC 3986, section 7 ("Security Considerations"), subsection 7.4 ("Rare IP Address Formats").
2h 1y 21 0x
I used to do this back in high school. The sysadmin could never figure out how I did it ;p
Unfortunately nowadays so many sites are vhosted that it doesn't work as well anymore.
This is actually just a watered down version of a very, very old trick wherein you'd take a URL like http://3273372964/en/weblog?weblogid=208188044 and insert www.cnn.com@ before the ip address in long form. This of course meant the browser would try to login to the "real" website with the login "www.cnn.com". So you'd end up with a url that looked very much like it was part of CNN's website but was in fact something else entirely. I'd show you a demonstration URL, but Slashdot filters out the obfuscating part of urls formatted in that way so it would look identical.
At any rate, these days, not only do forums like Slashdot actively weed out those sorts of URLs as obvious attempts at obfuscation, but browsers pretty much universally will throw up a warning before you taking you to a website obfuscated in that manner. And as a result, that trick long ago fell out of fashion.
But it seems everything old is new again, if you wait long enough.
The requested page cannot be displayed
Internal WebMarshal Error
3273372964 does not appear to be a valid IP address
WebMarshal ServerVersion: 6.1.7.4636
As said in TFA...
While the ability to do this is a plus for Phishers, it is also a plus for those of us soon to be living behind Conroy's[1] Great Firewall of Oz. I'd be betting that this would get straight past their filters. With this feature, just as long as they don't block DNS lookups of "banned" sites, the firewall will be a minor annoyance.
[1] Conroy - Senator Stephen Conroy -- Australian Minister for Communications and the Digital Economy -- He's in charge of building a fiber to the node network to give all of us here in Australia high speed connectivity, that won't be worth much because of the bottleneck imposed by the filter he wants to put in to keep us pure. Was made an Honorary Member of the Australian Computer Society which says more about them than him.