Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Full-Width/Half-Width Unicode Bypasses HTTP Scanning

Published: 2007-05-15
Last Updated: 2007-05-15 20:47:31 UTC
by John Bambenek (Version: 1)
0 comment(s)
The US-Cert has a vulnerability note out that describes how Full-Width and Half-Width Unicode encoding manages to bypass many HTTP content scanning engines (739224). This would allow remote attackers to hide malicious HTTP traffic by encoding it and have it slip happily past your IDS/IPS. This isn't an exploit itself, but allows exploits that would normally be detected (or blocked) to get through your IDS/IPS undetected. The only vendor who has a verified vulnarability to this is Cisco who has their own advisory out. However, many vendors have either not responded or not verified whether their software is vulnerable to this... including desktop anti-virus software. The vulnerability has been known since April 16th (apparently) and was made public yesterday.

UPDATE: 3:45 pm CDT, 5/15/07 - Tipping Point has confirmed they are vulnerable as well.

John Bambenek - bambenek /at/ gmail (dot) com
University of Illinois - Urbana-Champaign
0 comment(s)
Diary Archives