Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: noise about full-width encoding bypass?

From: Valdis.Kletnieks () vt edu
Date: Mon, 21 May 2007 16:06:06 -0400
On Mon, 21 May 2007 14:41:58 CDT, Steven Adair said:

I think you could be on either side, but I would learn towards this being
a feature than a bug.  Multiple products appear to do the decoding in the
same manner and intentionally perform this function.


No, they merely *claim* to do it the same way.


                                                      However, the recent
advisories that went out were geared towards IDS/IPS products that were
not designed to be able to recognize such half-/full-width encoded
traffic.


And if the IDS doesn't do it the *exact* same way, we're just repeating
the mistakes of "using fragmented packets to bypass the IDS", "using X to
bypass the IDS", "using Y to bypass the IDS"... and so on.

Attachment: _bin
Description: 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: