Detection evasion technique by invalid UTF-8 sequences

[bugtraq01 () hash-c co jp]

Title: Detection evasion technique by invalid UTF-8 sequences
Reported By: Hiroshi Tokumaru of HASH Consulting Corp.
Impact: A remote attacker can evade detection.

Overview
========

Invalid UTF-8 sequences are ignored in ASP.NET 1.1. 
This may be used for the detection evasion of IDS/IPS/WAF.


Problem 1
=========

Affected Environment:
Web sites written by ASP.NET 1.1 and using UTF-8 character encoding.

Summary:

Invalid UTF-8 sequences are ignored. 

Sample script (ex1.aspx):

<%= Request.QueryString("p") %>

Input:  http://hostname/ex1.aspx?p=dec%E6lare 
Output:  declare 


Problem 2 (Reference Information)
=================================

Affected Environment:
All Web Sites written by Legacy ASP (Active Server Pages).

Summary:

Percent(%) symbols are ignored in the case of invalid 
percent-encoding.

Sample script (ex2.asp):

<%= Request.QueryString("p") %>

Input: http://hostname/ex2.asp?p=dec%lare 
Output: declare 

This problem was reported by LAC Corporation on Oct. 2, 2008.
http://www.lac.co.jp/info/rrics_report/csl20081002.html (Japanese)


Influence
=========

Detection by IDS/IPS/WAF(Web Application Firewall) is evaded by 
inserting invalid UTF-8 sequences on the way of SQL keywords(select,
union, declare and so on). 


Solution and Workaround
=======================

* Considering Character encoding on detecting by IDS/IPS/WAF.
* Migration to ASP.NET 2.0 
 The 1st problem is resolved in ASP.NET 2.0.
* Fixing Vulnerabilities.

Credit
======

This vulnerability was reported by Hiroshi Tokumaru of
HASH Consulting Corporation(http://www.hash-c.co.jp/).

Contact
=======

secuinfo (at) hash-c (dot) co (dot) jp [email concealed]
http://www.tokumaru.org/d/ (Hiroshi Tokumaru Personal Blog)