GS07-01 Full-Width and Half-Width Unicode Encoding IDS/IPS/WAF Bypass Vulnerability May 15 2007 06:36AM
Fatih Ozavci (securitylists gamasec net)

GS07-01 Full-Width and Half-Width Unicode Encoding IDS/IPS/WAF Bypass
Vulnerability

Date & Version : 04/14/2007 - 1.0

Description :

Various HTTP content scanning systems fail to properly scan
full-width/half-width Unicode encoded traffic. This may allow malicious
content to bypass HTTP content scanning systems.

HTTP Content Scanning Systems have a pre-processor to decode various
forms of HTTP encoded requests such as UTF encoding for attack signature
analysis. Full-width and half-width is an encoding technique for Unicode
characters. Various HTTP content scanning systems fail to properly scan
full-width/half-width Unicode encoded traffic.

Some Open Source or Microsoft Products such as Microsoft ISS and .NET
Framework properly decode this type of encoding. But most IDS/IPS/WAF
products does not properly decode full-width Unicode (%uff) encoded HTTP
requests for analysis, Lowercase/Uppercase conversion and character
matching. By sending HTTP traffic to a vulnerable content scanning
system, an attacker may be able to bypass the content scanning system.

Risk Level : High

Impact : Security Bypass

Systems Affected :

Checkpoint Web Intelligence (Confirmed)
IBM ISS Proventia Series (Confirmed)
Full List of Vendors : (CERT - Vulnerability Note VU#739224) [1]

Remedy :

Contact your vendor for a hotfix, patch or advanced configuration.

Credits :

Fatih Ozavci (GamaTEAM Member)
Caglar Cakici (GamaTEAM Member)
It's detected using GamaSEC Exploit Framework
GamaSEC Information Security Audit and Consulting Services
(www.gamasec.net)

Original Advisory Link :
http://www.gamasec.net/english/gs07-01.html

References :

1. CERT - Vulnerability Note VU#739224
http://www.kb.cert.org/vuls/id/739224

2. Unicode Home Page
http://unicode.org

3. Unicode.org, Halfwidth and Fullwidth Forms
http://www.unicode.org/charts/PDF/UFF00.pdf

--
Best Regards
Fatih Ozavci
IT Security Consultant

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus