Forgot your password?
typodupeerror
Security IT

How To Evade URL Filters With (Not-So) Fancy Math 162

Posted by timothy
from the could-I-have-twice-a-half-dozen dept.
Trailrunner7 writes "In their constant quest to find new and interesting ways to abuse the Internet, attackers recently have begun using an old technique to obfuscate URLs and IP addresses to bypass URL filters and direct users to malicious sites. The technique takes advantage of the fact that modern browsers will allow users to specify IP addresses in formats other than base 10. So a typical IP address that looks something like this — 192.10.10.1 — can also be written in base 8, hexadecimal or a handful of other formats, and the browser will recognize it and take the user to the specified site. What is interesting though is that due to the relative obscurity of using such methods to denote an IP or URL, it is quite feasible that existing security products do not correctly identify the URLs as valid or flag them as malicious when they point to existing known bad websites."
This discussion has been archived. No new comments can be posted.

How To Evade URL Filters With (Not-So) Fancy Math

Comments Filter:
  • by TSHTF (953742) on Tuesday March 23, 2010 @07:26PM (#31591196) Homepage
    The linked article is next to worthless. The real details are in this blog post. [viruslist.com]
    • by AnEducatedNegro (1372687) on Tuesday March 23, 2010 @07:29PM (#31591232)
      don't you mean in this blog post [3273372964]?
    • Re: (Score:1, Interesting)

      by ObitMan (550793)

      I'm using opendns.
      none of the numeric URL's listed in the blog post work with it enabled

      • by TheRaven64 (641858) on Tuesday March 23, 2010 @07:52PM (#31591550) Journal
        OpenDNS is irrelevant. These are IP addresses, they are not domain names, so they don't need to go via DNS to be resolved. None of the links works in Safari on OS X either, but you can ping the IPs in the terminal, so it appears to be a bug (or 'security feature') in libcurl, which is what Safari uses for resolving URLs (earlier versions used CFURL, now WebKit uses libcurl directly). Checking this in the terminal shows the problem is actually deeper; libcurl passes the address to getaddrinfo(), but that fails. Trying the same command on GNU/Linux works correctly, so the glibc implementation of getaddrinfo() does handle this kind of resolution correctly. I presume that on OS X the ping utility handles its own address parsing; telnetting to 0x42.0x66.0x0d.0x63 fails in the host lookup stage.
        • Re: (Score:3, Informative)

          by ObitMan (550793)

          never mind. i misread the article, sorry

      • The browser is responsible for this, not DNS. When I hover over the links, such as the post above yours or those in TFA, I see in the status bar the normal octet IP. So the browser does that translation, not DNS. In fact, I see this text above:

        don't you mean in this blog post [3273372964]?

        But when I hover over that or copy the link, I get this:

        http://195.27.181.36/en/weblog?weblogid=208188044 [195.27.181.36]

      • by BitZtream (692029)

        Interestingly enough, OpenDNS has nothing to do with your broken browser!

        'Numeric' or rather IP addresses in forms other than dotted quad are still just IP addresses and they do not get 'looked up' in DNS when connecting to a host. Even if they did, they'd all be sent as a 32bit integer to opendns anyway (as thats the way the DNS protocol works) so once again, opendns can not provide any sort of special treatment to URLs with ips used that way.

        They work the exact same even if you have no DNS configured. D

    • by Bengie (1121981)

      I learned about this back in 2002 in my Network security class

      • by SEWilco (27983) on Tuesday March 23, 2010 @09:49PM (#31592708) Journal

        I learned about this back in 2002 in my Network security class

        Those who do not learn history are doomed to repeat it. And issue patches.

      • by MrCrassic (994046)

        Take that a step farther: anyone that does any sort of TCP/IP or sockets programming knows this, since IP addresses are naturally represented as hexadecimal to fit the four-byte long IP address field in the packet header. (Remember, int datatypes are four bytes long by themselves, whereas char datatypes are a byte (eight bits) each.) Getting dotted quad is as simple as inet_ntoa(struct in_addr *in).

        This is just not as well known because IP addresses have been used for so long now, most people forget what t

        • by MrCrassic (994046)

          Made a big mistake in my post: IP addresses, like anything else over the wire, are represented as 32-bit binary strings. The dotted quad format is just to make them more usable for us humans. I think the point is pretty clear; they don't have to just be integers.

    • by plover (150551) * on Tuesday March 23, 2010 @09:27PM (#31592486) Homepage Journal

      That blog post even has a variant of obfuscation the author likely didn't intend. He mentioned octal, but used a funny notation in his google.com example:
      http://00000102.00000146.00000015.00000143/ [00000146.0...5.00000143]

      True octal notation simply requires a single leading zero, like this:
      http://0102.0146.015.0143/ [0146.015.0143]

      The cool thing is this opens a new avenue for further defeating the fixed string-based scanners. These are all equivalent:
      http://00000102.00000146.00000015.0143/ [00000146.00000015.0143]
      (Slashdot makes me fill the lines with not-repetitive stuff.)
      http://00000102.00000146.00000015.00143/ [00000146.00000015.00143]
      (Slashdot makes me fill the lines with not-repetitive stuff.)
      http://00000102.00000146.00000015.000143/ [00000146.00000015.000143]
      (Slashdot makes me fill the lines with not-repetitive stuff.)
      http://00000102.00000146.00000015.0000143/ [00000146.0...15.0000143]
      (Slashdot makes me fill the lines with not-repetitive stuff.)
      http://00000102.00000146.00000015.00000143/ [00000146.0...5.00000143]
      Sure, a regexp would easily solve the problem, but that seems to be part of the root problem anyway.

      • Re: (Score:3, Funny)

        by DriedClexler (814907)

        (Slashdot makes me fill the lines with not-repetitive stuff.)

        And may I be the first to say: Mission Accomplished!

  • virtual hosts (Score:2, Informative)

    by munehiro (63206)

    too bad this won't pass any Host: information in the HTTP header, hence anything based on a virtual host will be unreachable through pure IP address. You will have to perform a bit more hacking to do that, and it won't defeat deep packet inspection filters.

    • Great for proxies (etc) though.

      How about (ab)using a service for testing your web site on different browsers? It sends back a picture of the specified page.

    • by duguk (589689)

      too bad this won't pass any Host: information in the HTTP header, hence anything based on a virtual host will be unreachable through pure IP address. You will have to perform a bit more hacking to do that, and it won't defeat deep packet inspection filters.

      Actually, it does pass the original URL through on the Host header. (I realise it won't work on existing sites without it in as an alias, but it is interesting!)

      I was surprised too, but tried it out myself yesterday, expecting the browser to rewrite it to IP and send that as the host, at least, it doesn't in Firefox. I suspect it may vary per browser; possibly.

      Go have a look at http://0x40167cc8/ [0x40167cc8] and compare with http://64.22.124.200/ [64.22.124.200].

      • I suspect following those links would get me sacked.

        • FWIF, I pulled up a known blacklisted site at work with this method (felt it was safer than random /. links). Still blocked. In addition the proxy returned the known DNS name the 'IP' corresponded to.
          -nB

          • by duguk (589689)

            FWIF, I pulled up a known blacklisted site at work with this method (felt it was safer than random /. links). Still blocked. In addition the proxy returned the known DNS name the 'IP' corresponded to. -nB

            Honestly, it's not a dodgy link! Don't blame you though, really.

            Websense by any chance? That seem to be aware of it. This is an old trick really, it's well mentioned on the internets. Am surprised about the host header though.

            • I don't know if it is websense...
              Block random shit though.
              one of my mates was looking at a webcomic series and one of the 6 pages was blocked.
              As to the DNS name, no surprise there, we run our own DNS servers, likely it does a lookup on the server and uses the name for the blocklist.
              -nB

        • by duguk (589689)
          Unless your company doesn't like webdesigners/pc repair companies, or had a problem with plain text pages containing a short hex code; I doubt it!

          This one might though: http://www.naughtyapes.co.uk/ [naughtyapes.co.uk]. But probably not.

          Still, you get the point right? That the host header is passed on despite it being an IP in Hex notation?
  • 0xdeadbeef (Score:2, Funny)

    by Anonymous Coward

    Hrm... wonder how much the owner of the ip at 0xdeadbeef wants for it... :D

    • by dotgain (630123)
      [pinky to mouth] 0x174876E800 dollars!
    • Re: (Score:3, Informative)

      by ppanon (16583)

      Uh oh. Looks like you can`t Just Google It. Not only that, but they have all of 0xDEAD*

      ; <<>> DiG 9.2.4 <<>> -x 222.173.190.239
      ;; global options: printcmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44377
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

      ;; QUESTION SECTION:
      ;239.190.173.222.in-addr.arpa. IN PTR

      ;; AUTHORITY SECTION:
      173.222.in-addr.arpa. 3600 IN SOA dns1.ctnt.com.cn. root.dns1.ctnt.com.

  • Yeah But... (Score:5, Informative)

    by Greyfox (87712) on Tuesday March 23, 2010 @07:30PM (#31591262) Homepage Journal
    I actually preferred using a url with the 10 digit number that was my base 10 IP address in E-Mails as it got people's attention in an otherwise bland sea of domains. This has been a feature of libc as long as I can remember (in Linux you should be able to ping an IP address in some other number base) but Firefox actually makes an effort to disallow using IP addresses with this notation. So if they're using Firefox, it won't work so well.
    • by rubycodez (864176)

      eh?, my firefox 3.5.8 does http://3626153264/ [3626153264] just fine (that's it.slashdot.org by the way)

      as others have pointed out, doesn't matter to any sane filtering system, the same numeric IP is emitted over the network by your computer anyway regardless of numerical base in browser

      • Firefox 3.6.2 Mac does not work. Apparently it's another difference between the Windows version and the Mac version.
    • but Firefox actually makes an effort to disallow using IP addresses with this notation. So if they're using Firefox, it won't work so well.

      Well... except that clicking each of the links in the blog entry [3273372964] pointed out by TSHTF above shows that it *does* work in FF...

      • by Greyfox (87712)
        In the OSX client it tries to resolve the number as a dot-com address.
        • I think I prefer that it does resolve correctly, personally - I'd rather make that choice myself instead of having my browser make it for me. Interesting that it behaves differently on Mac though -- perhaps it relies on the underlying network stack to resolve it, and the difference is there?
          • by Greyfox (87712)
            Nope, the underlying libc behaves the same, and you can ping an IP address with its decimal representation from the command prompt on a Mac. It's just firefox that goes to the extra effort to not allow the the functionality. It's by deliberate design, too. I have a bugzilla bug with them where they insist that their handling of decimal addresses is correct.
            • Right, but why would they only disallow the functionality on the Mac build? The windows build does not have the same behavior, in that it allows all of the above options.
  • ...a snort inline installation.
  • Never follow a link that isn't a DNS name. Someone should write an addon that disables IP addresses for links, since they are almost always pointed at evil sites anyways. The only time I enter an IP is to connect to one machine on the LAN.
    • Re:Simple defense: (Score:4, Insightful)

      by DavidRawling (864446) <hulk_NO@SPAMyahoo.com> on Tuesday March 23, 2010 @09:29PM (#31592510)
      Unfortunately you now cannot configure your ADSL modem until you install and configure local DNS and add the modem to the zone. Hardly something most grandmothers can do.
      • Re: (Score:2, Informative)

        by yuhong (1378501)
        Some modems and routers has internal DNS servers in them. For example, my family have a Westell 6100 modem from Verizon that have this feature, and dslrouter is the DNS name assigned to the modem. I'd recommend an exemption list, and include 192.168.*.* by default in it.
    • by Khyber (864651)

      So what about game links that open directly via IP address to a server and port that is specified?

      Just because it can be abused doesn't mean it should be done away with entirely.

    • "Since they are almost always pointed at evil sites anyways."

      Are they? I'd say the opposite, DNS is often a must for naughty software, that way if the IP gets taken down you merely need to change a few A records...

      Also you probably don't want to underestimate the number of, lets say streaming services (or any slightly more complex application) that make calls to IP addresses behind the scenes.

  • Oh come on (Score:5, Interesting)

    by Zouden (232738) on Tuesday March 23, 2010 @07:33PM (#31591300)

    It doesn't matter which way you enter the address into your browser, it still resolves to the same IP. If that IP is blocked, you won't get through even if you use this method.

    FTFA:

    it’s possible to imagine URL filtering tools having the same lack of support.

    In other words, no testing has been done at all. What is this poorly-thought-out bit of speculation doing on the front page of Slashdot?

    • by PCM2 (4486)

      It doesn't matter which way you enter the address into your browser, it still resolves to the same IP. If that IP is blocked, you won't get through even if you use this method.

      Unless, I guess, your filter allows you to specify IP addresses to be filtered as strings and then compares them to the addresses of requests as strings. It would be lazy, sloppy, bad programming -- but that's never stopped anyone.

      Still, that behavior would be trivial enough to fix.

      • by Lehk228 (705449)
        especially likely since the "easy" way would be to include the IP's in the list of blocked domains and let the text matching of the domain blocker do the work
    • It's true, I tried this at school three years ago and no matter what way I put the IP in, the site was blocked. Might as well use Tor. If you're on XP it's a matter of a flash drive and C:\Windows\System32\at.exe to run any program you want
      • by DarkOx (621550)

        Only if your admin either, does not really care or is terrible at building GPOs

    • by Judinous (1093945)
      Yeah, the only thing that I can imagine this possibly affecting would be the browser's phishing filters.
    • by Sigma 7 (266129)

      If that IP is blocked, you won't get through even if you use this method.

      True, but if you block by IP, you risk blocking other sites on the same host. For example, a medium-sized business may think they're blocking access to http://ebay.com/ [ebay.com], but suddenly discover they're also blocking the revenue source http://paypal.com/ [paypal.com].

      Technically, multiple sites shouldn't be on the same page, but...

    • by Spit (23158)

      Thankfully octal and hex are easy to regexp in squid. All hail Squid!

    • Re: (Score:3, Insightful)

      by BitZtream (692029)

      You do realize this is a timothy post ... right?

    • by NevarMore (248971)

      What is this poorly-thought-out bit of speculation doing on the front page of Slashdot?

      Getting tested on a wide swath of browsers, DNS servers, networks, firewalls, from all over the world by geeks who can generally provide decent feedback on its effecitveness.

    • by chrb (1083577)

      It doesn't matter which way you enter the address into your browser, it still resolves to the same IP. If that IP is blocked, you won't get through even if you use this method.

      Some of the major internet filters only block by domain name matching. You can bypass them by just using the IP address (of course, this fails when the site html contains URLs that specify the domain name.

  • Works in Chrome (Score:4, Interesting)

    by crow (16139) on Tuesday March 23, 2010 @07:33PM (#31591310) Homepage Journal

    All the alternate methods of specifying IP addresses for URLs work in Chrome. When you mouse over the link, you see it with the traditional decimal IP address, so it's not as obfuscated as it could be. Similarly when you reach the site, the URL displayed is in the traditional format.

    Addresses like http://0xdeadbeef/ [0xdeadbeef] and http://0xdeadd00d/ [0xdeadd00d] are assigned to a Chinese telecom company (they have all of 0xdead....).

    • by jittles (1613415)
      This is not a new problem. I worked for an ISP in 1999 and we saw attackers using this back then.
  • by Estanislao Martínez (203477) on Tuesday March 23, 2010 @07:37PM (#31591360) Homepage

    You can't just do things like this based on the syntax of the input, but rather on the semantics. In this case, to properly block the URLs, you need to parse them and transform them into an abstract representation of what they mean, e.g. a struct that encodes the protocol, host, port, document and query strings, and then examine the parse result to check if it matches the rule.

    The IT industry just systematically fails this over and over, because of people's bad habit of doing shit with regular expressions instead of parsing and semantic analysis. See, for example, the gazillion ways that people get around cross-site scripting filters; or if you want to see it from the other angle (generation instead of parsing), see SQL injection.

  • So a URL isn't filtered. What happens then? Windows gets reinstalled. Not automatically, of course. Perhaps techies get another job. Or someone's pc gets a job, for some botnet. Makes internet life eventful, I guess.
    • by Lehk228 (705449)
      your boss walks in while you have goatse on your screen
      • by plover (150551) *

        your boss walks in while you have goatse on your screen

        Hey, boss, come look at my new "magic mirror" app. It uses the web cam to display people as they truly are!

        *fired*

        But some days it would be soooo worth it.

  • Big problem (Score:5, Informative)

    by Bogtha (906264) on Tuesday March 23, 2010 @07:39PM (#31591404)

    The problem with this approach is that the requested URL doesn't provide a hostname, just the IP address. As IP addresses are in short supply, it has been an extremely common practice for years to assign multiple websites to a single IP address, otherwise known as name-based virtual hosting. This is common even for large companies. When you specify the URL with an IP address, the browser doesn't provide an appropriate Host: HTTP header, so any web server set up this way won't know which of the many websites it hosts should be returned. This means that anybody browsing the web with this technique will find that some websites work and some won't, seemingly at random to them.

    • you just make one of your virtual host's names the same as the ip address

      so when a request comes in as a naked ip address, it always gets routed to the proper virtual host, every single time

      just think of the naked ip address as yet another virtual host with its own name (a naked ip)

      • Re: (Score:2, Interesting)

        you just make one of your virtual host's names the same as the ip address

        Usually, the default page (what you're talking about) where no Host field is provided lists possible domains you can navigate to, sometimes with URL translation or fuzzy-searches if the admin is anal. :) Failing to set this up is just poor form.
        Poor form, however, is common.

        • by Bogtha (906264)

          Failing to set this up is just poor form.

          On the contrary, that configuration is poor form. Okay, so your site is now compatible with a tiny fraction of HTTP clients that will undoubtedly have major problems with many - if not most - other sites. Wow. Big win. Also, it's not effective, as any paths relative to the root will fail, or worse, load from other sites on the same server. Along with other miscellaneous problems, like spidering (penalised for duplicate content? robots.txt?) and TLS. But th

  • Why? (Score:4, Insightful)

    by Anonymous Coward on Tuesday March 23, 2010 @07:41PM (#31591432)

    Who thought it was a good idea to allow IP addresses to be entered in so many different formats? Who are you to decide that 0x01 is not a domain name? This is a feature which is hardly ever going to be used legitimately, but the code must be written and tested. KISS. Keep it simple, stupid.

  • by Dachannien (617929) on Tuesday March 23, 2010 @07:49PM (#31591520)

    I'm glad Slashdot is here to tell us about these things, or else I might not have found this important security bulletin [mitre.org].

  • You can have a hundred dns records point to the same "hacked" site. So wha'ts the point of this.

    If its broken, its broken. This analysis is just adding complexity and air-time to no purpose.

    The basic fact is that we have incredibly complicated software tools (browsers) that are designed
    to feed on an arbitrarily large set of untrusted, malicious, infected data. The browsers are in fact
    -designed- to go behind your back to download data from servers you never queried and did
    not know existed. They can an

    • Indeed. Many people apparently have difficulty operating web browsers, even those designed to hide the complexity as well as possible.

      On an unrelated note, I would like to add that although the layout is similar, a computer keyboard is not a typewriter. There is no need to manually insert carriage returns while typing.

      • by Chelloveck (14643)

        On an unrelated note, I would like to add that although the layout is similar, a computer keyboard is not a typewriter. There is no need to manually insert carriage returns while typing.

        Nor, I might add, is there any need to manually insert <tt> tags...

        • Those were code tags, and were needed because the code font looks more typewritery. <tt> tags, if slashdot allows, would probably have been more appropriate. Lazyness won out over perfect poetry.

  • HTTP/1.0:
    GET /index.html HTTP/1.0

    HTTP/1.1:
    GET /index.html HTTP/1.1
    Host: example.org

    If the site relies on HTTP/1.1, as is the case when multiple domains are hosted from the same IP address, then it's not possible to access the site by IP alone. OTOH, any filter worth its salt would do a reverse DNS lookup on an unknown IP, which would reveal the single domain name for an HTTP 1.0 server, rendering this technique mostly useless for HTTP packet filtering.

    Tricking HTTP proxy servers might work, if th
  • We must have had 20 different ways to get to goatse.cx.

  • This isn't really new, and it's not just browsers. Most programs will take anything that can be interpreted by strtoul(3) as an IP address.

    # ping 0xdeadbeef
    PING 0xdeadbeef (222.173.190.239) 56(84) bytes of data.
    From 219.146.113.214 icmp_seq=1 Time to live exceeded

  • by Urza9814 (883915) on Tuesday March 23, 2010 @09:35PM (#31592570)

    We used to use this back when I was in highschool to get past the crappy filtering software. This is _very_ old news. Hell I think I have a book from about a decade ago talking about this. Why is this on slashdot?

  • Well, this is quite interesting, but using FF 3.6.2 PPC none of the example links worked. They either redirected to whatevernumber.com which obviously doesn't work, or FF hangs trying to connect (with the octal IP). Neat, but somewhere in my setup or my DNS, these aren't working - patched already, or just better interpretation by 3.6.2?

  • by gqx (1293372) on Wednesday March 24, 2010 @12:11AM (#31593778)
    The author apparently does not realize this, but you can also partly concatenate octets and mix various notations:

    http://0x4a.8196963/ [0x4a.8196963]

    And yes, congratulations on being cutting edge: this thing is so old and well-known that it's even explicitly covered in RFC 3986, section 7 ("Security Considerations"), subsection 7.4 ("Rare IP Address Formats").
  • I used to do this back in high school. The sysadmin could never figure out how I did it ;p

    Unfortunately nowadays so many sites are vhosted that it doesn't work as well anymore.

  • Not quite new (Score:4, Interesting)

    by Cyberllama (113628) on Wednesday March 24, 2010 @05:41AM (#31595114)

    This is actually just a watered down version of a very, very old trick wherein you'd take a URL like http://3273372964/en/weblog?weblogid=208188044 [3273372964] and insert www.cnn.com@ before the ip address in long form. This of course meant the browser would try to login to the "real" website with the login "www.cnn.com". So you'd end up with a url that looked very much like it was part of CNN's website but was in fact something else entirely. I'd show you a demonstration URL, but Slashdot filters out the obfuscating part of urls formatted in that way so it would look identical.

    At any rate, these days, not only do forums like Slashdot actively weed out those sorts of URLs as obvious attempts at obfuscation, but browsers pretty much universally will throw up a warning before you taking you to a website obfuscated in that manner. And as a result, that trick long ago fell out of fashion.

    But it seems everything old is new again, if you wait long enough.

If you think nobody cares if you're alive, try missing a couple of car payments. -- Earl Wilson

Working...