|
|
GS07-01 Full-Width and Half-Width Unicode Encoding IDS/IPS/WAF Bypass Vulnerability
Date & Version : 04/14/2007 - 1.4
Description :
Various HTTP content scanning systems fail to properly scan full-width/half-width Unicode encoded
traffic. This may allow malicious content to bypass HTTP content scanning systems.
HTTP Content Scanning Systems have a pre-processor to decode various
forms of HTTP encoded requests such as UTF encoding for attack signature
analysis. Full-width and half-width is an encoding technique for Unicode
characters. Various HTTP content scanning systems fail to properly scan
full-width/half-width Unicode encoded traffic.
Some Open Source or Microsoft Products such as Microsoft IIS and .NET
Framework properly decode this type of encoding. But most IDS/IPS/WAF
products does not properly decode full-width Unicode (%uff) encoded HTTP
requests for analysis, Lowercase/Uppercase conversion and character
matching. By sending HTTP traffic to a vulnerable content scanning
system, an attacker may be able to bypass the content scanning system.
Risk Level : High
Impact : Security Bypass
Systems Affected :
Checkpoint Web Intelligence
Internet Security Systems, Inc.: Proventia A Series
Internet Security Systems, Inc.: Proventia G Series
Internet Security Systems, Inc.: Proventia M Series
Cisco Intrusion Prevention System (IPS) 5.x
Cisco IOS 10.x 11.x 12.x
McAfee IntruShield Sensor Software 3.1
McAfee IntruShield Sensor Software 2.1
3Com TippingPoint X505
3Com TippingPoint X506
3Com TippingPoint 50
3Com TippingPoint 200
3Com TippingPoint 200E
3Com TippingPoint 600E
3Com TippingPoint 1200E
3Com TippingPoint 2400E
3Com TippingPoint 5000E
3Com TippingPoint SMS (Enterprise-Level Management System)
3Com TippingPoint ZPHA (Zero Power High Availability)
Full List of Vendors : (CERT - Vulnerability Note VU#739224) [3]
Remedy :
Contact your vendor for a hotfix, patch or advanced configuration.
Credits :
Fatih Ozavci (GamaTEAM Member)
Caglar Cakici (GamaTEAM Member)
It's detected using GamaSEC Exploit Framework
GamaSEC Security Solutions (www.gamasec.net)
Original Advisory Link :
http://www.gamasec.net/english/gs07-01.html
References :
- CVE ID : CVE-2007-2688
CVE-2007-2689
CVE-2007-2690
- Security Focus Bugtraq ID : 23980
http://www.securityfocus.com/bid/23980
- CERT - Vulnerability Note VU#739224
http://www.kb.cert.org/vuls/id/739224
- Unicode Home Page
http://unicode.org
- Unicode.org, Halfwidth and Fullwidth Forms
http://www.unicode.org/charts/PDF/UFF00.pdf
- FrSIRT - 3Com TippingPoint IPS Products Unicode Characters Detection Evasion Vulnerability
http://www.frsirt.com/english/advisories/2007/1817
- 3COM TippingPoint - 3COM-07-001 TippingPoint IPS Unicode Evasion
http://www.3com.com/securityalert/alerts/3COM-07-001.html
- FrSIRT - Cisco IPS Full/Half Width Unicode Characters Handling Detection Evasion Vulnerability
http://www.frsirt.com/english/advisories/2007/1803
- Secunia - Cisco Products HTTP Unicode Encoding Detection Bypass
http://secunia.com/advisories/25285/
- Cisco Security Response: HTTP Full-Width and Half-Width Unicode Encoding Evasion
http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml
- ISC Sans Diary - Full-Width/Half-Width Unicode Bypasses HTTP Scanning
http://isc.sans.org/diary.html?storyid=2807
- Check Point Web Intelligence Lets Remote Users Evade Detection With Certain Character Encodings
http://securitytracker.com/alerts/2007/May/1018067.html
- McAfee Security Bulletin - IntruShield signature prevents published full/half width Unicode character obfuscation technique [612970]
UDS-HTTP: Possible full-width and half-width unicode encoding evasion
|
|
