Brian Eaton wrote:
Has anyone had a look at the full-width unicode encoding trick
discussed here?
http://www.kb.cert.org/vuls/id/739224
BTW - why is this news? it has been known for long:
The trick at large was discussed in "IDS Evasion with Unicode" (by Eric
Hacker) which dates back to 2001
(http://www.securityfocus.com/infocus/1232):
<http://www.securityfocus.com/infocus/1232>
Another way that Unicode can cause problems is that the application or
operation system can assign the same interpretation to different code
points. Thus, even though the Unicode specification dictates that the
code points should be treated differently, the application actually
treats them the same.
I tested IIS on Windows 2000 Advanced Server (English) and found that it
was very good at exhibiting this behavior. For example, here is a list
of the various code points that resolved to the capital letter "A":
U+0041, U+0100, U+0102, U+0104, U+01CD, U+01DE, U+8721.
And the full-width Unicode range and its applicability to bypassing a
specific security mechanism (ASP.NET's XSS protection and Request
Validation mechanisms) was explicitly discussed in a post to BugTraq
titled "XSS vulnerabilty in ASP.Net [with details]
<http://www.securityfocus.com/archive/1/390751/30/0/threaded>" by Andrey
Rusyaev which dates back to 2005
(http://www.securityfocus.com/archive/1/390751):
In specific conditions the cross-site scripting attack (XSS) [1] are
possible on web site under management ASP.Net, because used a wrong
filtration of special HTML characters. Attack exploits vulnerability of
mechanism of converting Unicode strings [2] to national ASCII codepages.
The basic problem arises from the lack of a filtration of special HTML
characters in range U+ff00-U+ff60 (fullwidth ASCII characters [3]).
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
