Focus on IDS
Detection evasion technique by invalid UTF-8 sequences Mar 23 2009 02:44AM
bugtraq01 hash-c co jp (1 replies)
Title: Detection evasion technique by invalid UTF-8 sequences
Reported By: Hiroshi Tokumaru of HASH Consulting Corp.
Impact: A remote attacker can evade detection.

Overview
========

Invalid UTF-8 sequences are ignored in ASP.NET 1.1.
This may be used for the detection evasion of IDS/IPS/WAF.

Problem 1
=========

Affected Environment:
Web sites written by ASP.NET 1.1 and using UTF-8 character encoding.

Summary:

Invalid UTF-8 sequences are ignored.

Sample script (ex1.aspx):

<%= Request.QueryString("p") %>

Input: http://hostname/ex1.aspx?p=dec%E6lare
Output: declare

Problem 2 (Reference Information)
=================================

Affected Environment:
All Web Sites written by Legacy ASP (Active Server Pages).

Summary:

Percent(%) symbols are ignored in the case of invalid
percent-encoding.

Sample script (ex2.asp):

<%= Request.QueryString("p") %>

Input: http://hostname/ex2.asp?p=dec%lare
Output: declare

This problem was reported by LAC Corporation on Oct. 2, 2008.
http://www.lac.co.jp/info/rrics_report/csl20081002.html (Japanese)

Influence
=========

Detection by IDS/IPS/WAF(Web Application Firewall) is evaded by
inserting invalid UTF-8 sequences on the way of SQL keywords(select,
union, declare and so on).

Solution and Workaround
=======================

* Considering Character encoding on detecting by IDS/IPS/WAF.
* Migration to ASP.NET 2.0
The 1st problem is resolved in ASP.NET 2.0.
* Fixing Vulnerabilities.

Credit
======

This vulnerability was reported by Hiroshi Tokumaru of
HASH Consulting Corporation(http://www.hash-c.co.jp/).

Contact
=======

secuinfo (at) hash-c (dot) co (dot) jp [email concealed]
http://www.tokumaru.org/d/ (Hiroshi Tokumaru Personal Blog)

[ reply ]
Re: Detection evasion technique by invalid UTF-8 sequences Mar 27 2009 01:11AM
Frank Knobbe (frank knobbe us)


 

Privacy Statement
Copyright 2010, SecurityFocus