IDS mailing list archives
Detection evasion technique by invalid UTF-8 sequences
From: bugtraq01 () hash-c co jp
Date: Mon, 23 Mar 2009 11:44:09 +0900
Title: Detection evasion technique by invalid UTF-8 sequences Reported By: Hiroshi Tokumaru of HASH Consulting Corp. Impact: A remote attacker can evade detection. Overview ======== Invalid UTF-8 sequences are ignored in ASP.NET 1.1. This may be used for the detection evasion of IDS/IPS/WAF. Problem 1 ========= Affected Environment: Web sites written by ASP.NET 1.1 and using UTF-8 character encoding. Summary: Invalid UTF-8 sequences are ignored. Sample script (ex1.aspx): <%= Request.QueryString("p") %> Input: http://hostname/ex1.aspx?p=dec%E6lare Output: declare Problem 2 (Reference Information) ================================= Affected Environment: All Web Sites written by Legacy ASP (Active Server Pages). Summary: Percent(%) symbols are ignored in the case of invalid percent-encoding. Sample script (ex2.asp): <%= Request.QueryString("p") %> Input: http://hostname/ex2.asp?p=dec%lare Output: declare This problem was reported by LAC Corporation on Oct. 2, 2008. http://www.lac.co.jp/info/rrics_report/csl20081002.html (Japanese) Influence ========= Detection by IDS/IPS/WAF(Web Application Firewall) is evaded by inserting invalid UTF-8 sequences on the way of SQL keywords(select, union, declare and so on). Solution and Workaround ======================= * Considering Character encoding on detecting by IDS/IPS/WAF. * Migration to ASP.NET 2.0 The 1st problem is resolved in ASP.NET 2.0. * Fixing Vulnerabilities. Credit ====== This vulnerability was reported by Hiroshi Tokumaru of HASH Consulting Corporation(http://www.hash-c.co.jp/). Contact ======= secuinfo (at) hash-c (dot) co (dot) jp [email concealed] http://www.tokumaru.org/d/ (Hiroshi Tokumaru Personal Blog)
Current thread:
- Detection evasion technique by invalid UTF-8 sequences bugtraq01 (Mar 23)
- Re: Detection evasion technique by invalid UTF-8 sequences Frank Knobbe (Mar 30)