AOH :: HP Unsorted G :: TB10890.HTM

GS07-01 Full-Width and Half-Width Unicode Encoding IDS/IPS/WAF Bypass Vulnerability



GS07-01 Full-Width and Half-Width Unicode Encoding IDS/IPS/WAF Bypass Vulnerability
GS07-01 Full-Width and Half-Width Unicode Encoding IDS/IPS/WAF Bypass Vulnerability




GS07-01 Full-Width and Half-Width Unicode Encoding IDS/IPS/WAF Bypass
Vulnerability

Date & Version : 04/14/2007 - 1.0

Description :

Various HTTP content scanning systems fail to properly scan
full-width/half-width Unicode encoded traffic. This may allow malicious
content to bypass HTTP content scanning systems.

HTTP Content Scanning Systems have a pre-processor to decode various
forms of HTTP encoded requests such as UTF encoding for attack signature
analysis. Full-width and half-width is an encoding technique for Unicode
characters. Various HTTP content scanning systems fail to properly scan
full-width/half-width Unicode encoded traffic.

Some Open Source or Microsoft Products such as Microsoft ISS and .NET
Framework properly decode this type of encoding. But most IDS/IPS/WAF
products does not properly decode full-width Unicode (%uff) encoded HTTP
requests for analysis, Lowercase/Uppercase conversion and character
matching. By sending HTTP traffic to a vulnerable content scanning
system, an attacker may be able to bypass the content scanning system.

Risk Level : High

Impact : Security Bypass

Systems Affected :

Checkpoint Web Intelligence (Confirmed)
IBM ISS Proventia Series (Confirmed)
Full List of Vendors : (CERT - Vulnerability Note VU#739224) [1]

Remedy :

Contact your vendor for a hotfix, patch or advanced configuration.

Credits :

Fatih Ozavci (GamaTEAM Member)
Caglar Cakici (GamaTEAM Member)
It's detected using GamaSEC Exploit Framework
GamaSEC Information Security Audit and Consulting Services
(www.gamasec.net) 

Original Advisory Link :
http://www.gamasec.net/english/gs07-01.html 

References :

   1. CERT - Vulnerability Note VU#739224
http://www.kb.cert.org/vuls/id/739224 

   2. Unicode Home Page
http://unicode.org 

   3. Unicode.org, Halfwidth and Fullwidth Forms
http://www.unicode.org/charts/PDF/UFF00.pdf 


-- 
Best Regards
Fatih Ozavci
IT Security Consultant

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.