Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass?

["Arian J. Evans" <arian.evans () anachronic com>]

On Thu, Jun 4, 2009 at 4:22 PM, Prasad Shenoy <prasad.shenoy () gmail com> wrote:
> Has %uff1c %uff1e become very common?

We have seen 44 sites in the last year at WhiteHat Security that were
vulnerable to Fullwidth unicode-encoded attacks. This one tends to be
more ubiquitous than others when you find it. In the applications weak
to this -- we found roughly 200 locations vulnerable to attack in
those 44 applications, and each location would have multiple inputs,
so you are probably talking 1,000+ inputs vulnerable to attack using
this encoding.

> I have found a few places where these
> are still exploitable. Sometime in the coming week I will post my
> observation from one particular encounter of this vulnerability to get some
> responses on what, why and how it is happening.


Interesting. I did some research here too, and found a new Unicode
standard that I think might be a culprit.

I won't be posting any more of the data in this thread. There is
simply too much of it

Jeremiah will be posting some of it at his blog below, and ultimately
there needs to be a good paper on canonicalization. None has yet been
written for the web world. The VXer crowd went through this in the
90's with all of their encoding-evasion techniques for viruses, and
then K2's Polymorphic Shell Code tool brought similar concepts to
payloads delivered across network protocols.

Now the same notions of multiple representations and re-assemblies of
data, in this case to form exploits, is rearing its head in the
webappsec world. Nothing is new under the sun. :) Attackers already
use encoding in the wild for SQL injection, and at least one XSS I
have seen.

Probably 50% of the encoding techniques I know of that can be
leveraged to form attacks -- I cannot even find documented. So I know
our community has some large knowledge gaps on this subject at the
moment and needs more work here.

-ae



> This email gave a good head start.....
>
> Cheers,
> Prasad Shenoy
>
> On Thu, Jun 4, 2009 at 6:10 PM, Arian J. Evans <arian.evans () anachronic com>
> wrote:
> > Hello 3APA3A -- Remember this thread you started 2 years ago? Long
> > Time no discussion on this topic... :)
> >
> > Turns out you were spot-on. We verified six different variants of
> > this. Jeremiah Grossman published details on his blog:
> >
> >
> > http://jeremiahgrossman.blogspot.com/2009/06/results-unicode-leftright-pointing.html
> >
> > It is important to note that when you read the number counts that say:
> >
> > 11 exploitable XSS in 8 websites:
> > %u00ABscript%u00BB
> >
> > The count of "11" is "11 /path/ locations or forms in a web
> > application", not "11 vulnerable inputs". The location might be a .cgi
> > or a servlet, with 1 or dozens of inputs in that same location that
> > are all "vulnerable" to the same attack technique.
> >
> > (We call the individual inputs "attack vectors" instead of
> > "vulnerabilities" to help people group them and make them more
> > actionable. e.g.-people usually don't go fix one input, but instead
> > fix the CGI, servlet, form-input/request-handler and all the
> > associated inputs at once. So reporting each input individually
> > doesn't provide any benefit besides make reports bigger.)
> >
> > Anyway, there are many more of these kind of
> > false-familiar/transliteral transcoding and canonicalization issues.
> >
> > I will continue to feed anything interesting to Jeremiah and it will
> > probably wind up on his blog.
> >
> > Thanks again for opening my mind up to some new angles for
> > filter-evasion tricks! :)
> >
> > ciao
> >
> > --
> > Arian Evans
> > I invest most of my money in motorcycles, mistresses, and martinis.
> > The rest of it I squander.
> >
> >
> >
> >
> > On Tue, May 22, 2007 at 9:52 AM, Arian J. Evans <arian () anachronic com>
> > wrote:
> > > I'll let you know if this hits. I am running this test currently on
> > > about 600 + sites.
> > >
> > > -ae
> > >
> > > On 5/22/07, 3APA3A < 3APA3A () security nnov ru> wrote:
> > > > Dear full-disclosure () lists grok org uk,
> > > >
> > > >   By  the  way:  I saw Unicode Left Pointing Double Angel Quotation
> > > > Mark
> > > >   (%u00AB) / Unicode Right Pointing Double Angel Quotation Mark
> > > > (%u00BB)
> > > >   are  sometimes  translated  to '<' and '>'. Does somebody
> > > > experimented
> > > >   with
> > > >
> > > >   %u00ABscript%u00BB
> > > >
> > > >   in different environments to bypass filtering in this way?
> > > >
> > > > --
> > > > http://securityvulns.com/
> > > >          /\_/\
> > > >         { , . }     |\
> > > > +--oQQo->{ ^ }<-----+ \
> > > > |  ZARAZA  U  3APA3A   } You know my name - look up my number (The
> > > > Beatles)
> > > > +-------------o66o--+ /
> > > >                     |/
> >
> >
> > ----------------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> >
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> > Join WASC on LinkedIn
> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
> --
> Thought for the day -
> "Emails can hurt feelings. If this one did, please ignore your feelings."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/