Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] TippingPoint IPS Signature Evasion

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] TippingPoint IPS Signature Evasion
Date: 11 Jul 2007 11:37:41 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  TippingPoint IPS Signature Evasion
------------------------------------------------------------------------


SUMMARY

During security analysis of the Tippingpoint IPS product a signature 
evasion vulnerability was discovered. The use of specific Unicode 
characters on particular web servers allows a remote user to bypass IPS 
detection.

DETAILS

Vulnerable Systems:
 * TippingPoint IPS running TOS version 2.1
 * TippingPoint IPS running TOS version 2.2.0 up to and including 2.2.4

By using a hex encoded alternate Unicode character for forward slash (/) a 
request can be produced that will not match any IPS signature present in 
the TippingPoint device.

Example:
http://www.test.com/scripts/cmd.exe is a known attack, and detected by a 
signature.

The same URI with alternate Unicode forward slash characters are not 
detected by the signature.
http://www.test.com/scripts%c0%afcmd.exe
http://www.test.com/scripts%e0%80%afcmd.exe
http://www.test.com/scripts%c1%9ccmd.exe

Web servers located behind a Tippingpoint IPS device which are capable of 
decoding alternate Unicode characters can be accessed, and exploited  
without triggering the IPS device.

Solutions:
Security-Assessment.com has been in contact with Tipping and a new version 
of the Tippingpoint IPS software has been released to address the 
discovered vulnerability:  
<http://www.3com.com/securityalert/alerts/3COM-07-003.html> 
http://www.3com.com/securityalert/alerts/3COM-07-003.html

This issue has been addressed in various TOS releases as indicated by the 
affected product below.
  - X-Family devices, 2.5.0.6682.
  - non-X-Family device (not including 600E, 1200E, 2400E or 5000E), 
2.5.1.6826.
  - non-X-Family device (including 600E, 1200E, 2400E or 5000E), 
2.5.2.6919.


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:paul.craig@security-assessment.com> Paul Craig.
The original article can be found at:  
<http://security-assessment.com/files/advisories/2007-07-11_Tippingpoint_IPS_Signature_Evasion.pdf>
 
http://security-assessment.com/files/advisories/2007-07-11_Tippingpoint_IPS_Signature_Evasion.pdf



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] TippingPoint IPS Signature Evasion, SecuriTeam <=
Previous by Date:  [NT] VSAOD Server Unauthenticated Arbitrary File Overwrites, SecuriTeam
Next by Date:  [NT] Vulnerabilities in .NET Framework Allows Code Execution (MS07-040), SecuriTeam
Previous by Thread:  [NT] VSAOD Server Unauthenticated Arbitrary File Overwrites, SecuriTeam
Next by Thread:  [NT] Vulnerabilities in .NET Framework Allows Code Execution (MS07-040), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]