How To Evade URL Filters With (Not-So) Fancy Math

Trailrunner7 writes "In their constant quest to find new and interesting ways to abuse the Internet, attackers recently have begun using an old technique to obfuscate URLs and IP addresses to bypass URL filters and direct users to malicious sites. The technique takes advantage of the fact that modern browsers will allow users to specify IP addresses in formats other than base 10. So a typical IP address that looks something like this — 192.10.10.1 — can also be written in base 8, hexadecimal or a handful of other formats, and the browser will recognize it and take the user to the specified site. What is interesting though is that due to the relative obscurity of using such methods to denote an IP or URL, it is quite feasible that existing security products do not correctly identify the URLs as valid or flag them as malicious when they point to existing known bad websites."

Technical details here

[TSHTF]

The linked article is next to worthless. The real details are in this blog post.

Re:Technical details here

[AnEducatedNegro]

don't you mean in this blog post?

Re:Technical details here

[TheRaven64]

OpenDNS is irrelevant. These are IP addresses, they are not domain names, so they don't need to go via DNS to be resolved. None of the links works in Safari on OS X either, but you can ping the IPs in the terminal, so it appears to be a bug (or 'security feature') in libcurl, which is what Safari uses for resolving URLs (earlier versions used CFURL, now WebKit uses libcurl directly). Checking this in the terminal shows the problem is actually deeper; libcurl passes the address to getaddrinfo(), but that fails. Trying the same command on GNU/Linux works correctly, so the glibc implementation of getaddrinfo() does handle this kind of resolution correctly. I presume that on OS X the ping utility handles its own address parsing; telnetting to 0x42.0x66.0x0d.0x63 fails in the host lookup stage.

Re:Technical details here

[moreati]

don't you mean in this blog post [3273372964]

Interestingl. Though Slashcode presented your url as typed by you, hovering over it and right-click-copy in Chromium shows the canonical dotted quad http://195.27.181.36/en/weblog?weblogid=208188044

Re:Technical details here

[ObitMan]

never mind. i misread the article, sorry

Re:Technical details here

[teh+moges]

It works fine for me (v3.5.8 on kubuntu)

Re:Technical details here

[iammani]

Me too, in FF v3.6 on Windows 7

Re:Technical details here

[elfprince13]

Well, at least on Mac it doesn't know what to do with it.

Re:Technical details here

[plover]

That blog post even has a variant of obfuscation the author likely didn't intend. He mentioned octal, but used a funny notation in his google.com example:
http://00000102.00000146.00000015.00000143/

True octal notation simply requires a single leading zero, like this:
http://0102.0146.015.0143/

The cool thing is this opens a new avenue for further defeating the fixed string-based scanners. These are all equivalent:
http://00000102.00000146.00000015.0143/
(Slashdot makes me fill the lines with not-repetitive stuff.)
http://00000102.00000146.00000015.00143/
(Slashdot makes me fill the lines with not-repetitive stuff.)
http://00000102.00000146.00000015.000143/
(Slashdot makes me fill the lines with not-repetitive stuff.)
http://00000102.00000146.00000015.0000143/
(Slashdot makes me fill the lines with not-repetitive stuff.)
http://00000102.00000146.00000015.00000143/
Sure, a regexp would easily solve the problem, but that seems to be part of the root problem anyway.

Re:Technical details here

[MBCook]

I'm on Safari on OS X, and I can tell you that the link doesn't work. I get the standard Safari page saying "Can't find the server 3277....".

I tried the links in the blog post, the first three don't work, they have the same problem. The fourth link, the one padded with 0s, eventually failed because the server failed to respond (/.ing, I'm guessing).

This is the first time Safari has failed me in something geeky like this. Safari is the only browser that render's my brother's URL properly. It's one of the unicode symbols, and Safari shows it that way. Safari shows (snowman).net correctly, but FireFox turns it into xn--n3h.net.

Of course, /. won't let me post a unicode character.

Re:Technical details here

[SEWilco]

I learned about this back in 2002 in my Network security class

Those who do not learn history are doomed to repeat it. And issue patches.

Re:Technical details here

[DriedClexler]

(Slashdot makes me fill the lines with not-repetitive stuff.)

And may I be the first to say: Mission Accomplished!

virtual hosts

[munehiro]

too bad this won't pass any Host: information in the HTTP header, hence anything based on a virtual host will be unreachable through pure IP address. You will have to perform a bit more hacking to do that, and it won't defeat deep packet inspection filters.

0xdeadbeef

Hrm... wonder how much the owner of the ip at 0xdeadbeef wants for it... :D

Re:0xdeadbeef

[ppanon]

Uh oh. Looks like you can`t Just Google It. Not only that, but they have all of 0xDEAD*

; <<>> DiG 9.2.4 <<>> -x 222.173.190.239
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44377
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;239.190.173.222.in-addr.arpa. IN PTR

;; AUTHORITY SECTION:
173.222.in-addr.arpa. 3600 IN SOA dns1.ctnt.com.cn. root.dns1.ctnt.com.cn. 2005100802 10800 3600 604800 3600

;; AUTHORITY SECTION: 173.222.in-addr.arpa. 3600 IN SOA dns1.ctnt.com.cn. root.dns1.ctnt.com.cn. 2005100802 10800 3600 604800 3600

Yeah But...

[Greyfox]

I actually preferred using a url with the 10 digit number that was my base 10 IP address in E-Mails as it got people's attention in an otherwise bland sea of domains. This has been a feature of libc as long as I can remember (in Linux you should be able to ping an IP address in some other number base) but Firefox actually makes an effort to disallow using IP addresses with this notation. So if they're using Firefox, it won't work so well.

Re:102 105 114 115 116 112 111 115 116 33

[bytethese]

That's the same combination I have on my luggage!

Oh come on

[Zouden]

It doesn't matter which way you enter the address into your browser, it still resolves to the same IP. If that IP is blocked, you won't get through even if you use this method.

FTFA:

it’s possible to imagine URL filtering tools having the same lack of support.

In other words, no testing has been done at all. What is this poorly-thought-out bit of speculation doing on the front page of Slashdot?

Re:Oh come on

[BitZtream]

You do realize this is a timothy post ... right?

Works in Chrome

[crow]

All the alternate methods of specifying IP addresses for URLs work in Chrome. When you mouse over the link, you see it with the traditional decimal IP address, so it's not as obfuscated as it could be. Similarly when you reach the site, the URL displayed is in the traditional format.

Addresses like http://0xdeadbeef/ and http://0xdeadd00d/ are assigned to a Chinese telecom company (they have all of 0xdead....).

And the lesson people don't learn is...

[Estanislao+Mart�nez]

You can't just do things like this based on the syntax of the input, but rather on the semantics. In this case, to properly block the URLs, you need to parse them and transform them into an abstract representation of what they mean, e.g. a struct that encodes the protocol, host, port, document and query strings, and then examine the parse result to check if it matches the rule.

The IT industry just systematically fails this over and over, because of people's bad habit of doing shit with regular expressions instead of parsing and semantic analysis. See, for example, the gazillion ways that people get around cross-site scripting filters; or if you want to see it from the other angle (generation instead of parsing), see SQL injection.

Big problem

[Bogtha]

The problem with this approach is that the requested URL doesn't provide a hostname, just the IP address. As IP addresses are in short supply, it has been an extremely common practice for years to assign multiple websites to a single IP address, otherwise known as name-based virtual hosting. This is common even for large companies. When you specify the URL with an IP address, the browser doesn't provide an appropriate Host: HTTP header, so any web server set up this way won't know which of the many websites it hosts should be returned. This means that anybody browsing the web with this technique will find that some websites work and some won't, seemingly at random to them.

Why?

Who thought it was a good idea to allow IP addresses to be entered in so many different formats? Who are you to decide that 0x01 is not a domain name? This is a feature which is hardly ever going to be used legitimately, but the code must be written and tested. KISS. Keep it simple, stupid.

Parent is troll link - don't click.

Here is some text to get past the filter.

Welcome to the 20th century

[Dachannien]

I'm glad Slashdot is here to tell us about these things, or else I might not have found this important security bulletin.

HTTP/1.0 Perhaps, HTTP/1.1 Unlikely

[izomiac]

HTTP/1.0:
GET /index.html HTTP/1.0

HTTP/1.1:
GET /index.html HTTP/1.1
Host: example.org

If the site relies on HTTP/1.1, as is the case when multiple domains are hosted from the same IP address, then it's not possible to access the site by IP alone. OTOH, any filter worth its salt would do a reverse DNS lookup on an unknown IP, which would reveal the single domain name for an HTTP 1.0 server, rendering this technique mostly useless for HTTP packet filtering.

Tricking HTTP proxy servers might work, if they allow CONNECT on port 80:

CONNECT 2130706433:80 HTTP/1.1

GET /index.html HTTP/1.1
Host: example.geek

Re:We learned this on slashdot.

[bakdor]

We must have had 20 different ways to get to goatse.cx.

I didn't need 20 different ways. I just had it bookmarked for quick and easy viewing.

Re:Simple defense:

[DavidRawling]

Unfortunately you now cannot configure your ADSL modem until you install and configure local DNS and add the modem to the zone. Hardly something most grandmothers can do.

ANCIENT

[Urza9814]

We used to use this back when I was in highschool to get past the crappy filtering software. This is _very_ old news. Hell I think I have a book from about a decade ago talking about this. Why is this on slashdot?

This is totally going over your head.

[Estanislao+Mart�nez]

No matter how you try to obfuscate the destination - a base-10 "number", octal, binary, who effing cares how - it still goes out on the wire as an IP packet with a destination address field, either sourced from your desktop or your proxy. Packets don't lie.

Not all IP address filtering is done by IP firewalls. These days there are many applications, most notably web browsers, that consult online databases of known or suspected malicious hosts in order to protect users from malicious hosts. I know for a fact that Firefox and Safari do this--if you try to go to a known suspected malware site, the browser pops up a warning page instead of the page you asked for. Google also do it for their search results--suspected malware site results don't link to the site in question, they link to a warning page. Many websites also have anti-XSS submission filters that perform textual matching against known "bad" addresses, to protect their users from attacks.

Apparently, many such programs are not parsing the textual IP addresses into a canonical form, and are therefore vulnerable to this sort of obfuscation. So the typical result here is that a comment submission system will fail to block a comment that has some XSS in it, and the users' browsers, running on a network whose firewally doesn't filter the IP address in question, will then fetch a malicious script from a known malware site.

Get prepared to have your mind blown

[gqx]

The author apparently does not realize this, but you can also partly concatenate octets and mix various notations:

http://0x4a.8196963/

And yes, congratulations on being cutting edge: this thing is so old and well-known that it's even explicitly covered in RFC 3986, section 7 ("Security Considerations"), subsection 7.4 ("Rare IP Address Formats").

Re:wrong

[girlintraining]

you just make one of your virtual host's names the same as the ip address

Usually, the default page (what you're talking about) where no Host field is provided lists possible domains you can navigate to, sometimes with URL translation or fuzzy-searches if the admin is anal. :) Failing to set this up is just poor form.
Poor form, however, is common.

Re:Simple defense:

[yuhong]

Some modems and routers has internal DNS servers in them. For example, my family have a Westell 6100 modem from Verizon that have this feature, and dslrouter is the DNS name assigned to the modem. I'd recommend an exemption list, and include 192.168.*.* by default in it.

Not quite new

[Cyberllama]

This is actually just a watered down version of a very, very old trick wherein you'd take a URL like http://3273372964/en/weblog?weblogid=208188044 and insert www.cnn.com@ before the ip address in long form. This of course meant the browser would try to login to the "real" website with the login "www.cnn.com". So you'd end up with a url that looked very much like it was part of CNN's website but was in fact something else entirely. I'd show you a demonstration URL, but Slashdot filters out the obfuscating part of urls formatted in that way so it would look identical.

At any rate, these days, not only do forums like Slashdot actively weed out those sorts of URLs as obvious attempts at obfuscation, but browsers pretty much universally will throw up a warning before you taking you to a website obfuscated in that manner. And as a result, that trick long ago fell out of fashion.

But it seems everything old is new again, if you wait long enough.