Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Full-width/half-width Unicode Bypasses Http Scanning


  • Please log in to reply
No replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:12:27 AM

Posted 15 May 2007 - 04:14 PM

Based on CERT, ISC, and other warnings below, the capability for security software to interrogate embedded Unicode characters in HTTP requests could be a serious exposure that needs to be patched by several vendors? So far, there are no known in-the-wild attacks:

Full-Width/Half-Width Unicode Bypasses HTTP Scanning
http://www.kb.cert.org/vuls/id/739224
http://isc.sans.org/diary.html?storyid=2807
http://www.gamasec.net/english/gs07-01.html
http://www.cisco.com/warp/public/707/cisco...4-unicode.shtml
http://www.frsirt.com/english/advisories/2007/1803
http://secunia.com/advisories/25285/

What is Unicode?
http://www.unicode.org/standard/WhatIsUnicode.html

The US-Cert has a vulnerability note out that describes how Full-Width and Half-Width Unicode encoding manages to bypass many HTTP content scanning engines (739224). This would allow remote attackers to hide malicious HTTP traffic by encoding it and have it slip happily past your IDS/IPS. This isn't an exploit itself, but allows exploits that would normally be detected (or blocked) to get through your IDS/IPS undetected.



BC AdBot (Login to Remove)

 


m



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users