« Bug hunters face online-apps dilemma | Main | University of Colorado computer hacked, 45k student names, S.S. numbers exposed »

Widescale Unicode Encoding Implementation Flaw Discovered

Amit Klein was kind enough to point out that the ASP.NET filter evasion issue is actually a known issue. It was first pointed out in 2004! According to that post "We have decided that a KB article and update to tools and/or best practice guidelines should be done for this, and will be as time permits. We are not tracking this case as a security bulletin" - Microsoft

UPDATED 05/21/07 by Robert

According to two posts on The Web Security Mailing List IIS seems to be affected. Here is a cheat sheet of characters you can use to see if your application input filtering can be evaded.

> = %uff1E
< = %uff1c

Brackets ONLY Encoded: %uff1cscript%uff1Ealert(document.cookie)%uff1c/script%uff1E
Full Encoded: %uff1cscript%uff1Ealert%uFF08document%uff0ecookie%uff09%uff1c/script%uff1E
More updates will be posted here as they are discovered.

Posted 05/21/07 by Robert

A new unicode encoding bypass has been discovered which will potentially leave dozens of popular applications vulnerable. At this time vendors such as 3com, ISS, Tippingpoint, Snort, and Cisco have released advisories. From CERT

"Full-width and half-width encoding is a technique for encoding Unicode characters. Various HTTP content scanning systems fail to properly scan full-width/half-width Unicode encoded HTTP traffic. By sending specially-crafted HTTP traffic to a vulnerable content scanning system, an attacker may be able to bypass that content scanning system."

The impact at this time is still being investigated by CERT however it is very possible other major products are also affected. Products most likely affected will be Intrusion Detection/Prevention Systems, maybe Application Servers/Web Proxies/Servers. The original advisory released by Fatih Ozavci and Caglar Cakicican be found at http://www.gamasec.net/english/gs07-01.html (Currently down)

Unicode Map: http://www.unicode.org/charts/PDF/UFF00.pdf
Advisory Link: http://www.kb.cert.org/vuls/id/739224
Vuln Chat http://sla.ckers.org/forum/read.php?13,11562


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!