GS07-01 Full-Width and Half-Width Unicode Encoding IDS/IPS/WAF Bypass
Vulnerability
Date & Version : 04/14/2007 - 1.0
Description :
Various HTTP content scanning systems fail to properly scan
full-width/half-width Unicode encoded traffic. This may allow malicious
content to bypass HTTP content scanning systems.
HTTP Content Scanning Systems have a pre-processor to decode various
forms of HTTP encoded requests such as UTF encoding for attack signature
analysis. Full-width and half-width is an encoding technique for Unicode
characters. Various HTTP content scanning systems fail to properly scan
full-width/half-width Unicode encoded traffic.
Some Open Source or Microsoft Products such as Microsoft ISS and .NET
Framework properly decode this type of encoding. But most IDS/IPS/WAF
products does not properly decode full-width Unicode (%uff) encoded HTTP
requests for analysis, Lowercase/Uppercase conversion and character
matching. By sending HTTP traffic to a vulnerable content scanning
system, an attacker may be able to bypass the content scanning system.
Risk Level : High
Impact : Security Bypass
Systems Affected :
Checkpoint Web Intelligence (Confirmed)
IBM ISS Proventia Series (Confirmed)
Full List of Vendors : (CERT - Vulnerability Note VU#739224) [1]
Remedy :
Contact your vendor for a hotfix, patch or advanced configuration.
Credits :
Fatih Ozavci (GamaTEAM Member)
Caglar Cakici (GamaTEAM Member)
It's detected using GamaSEC Exploit Framework
GamaSEC Information Security Audit and Consulting Services
(www.gamasec.net)
Original Advisory Link :
http://www.gamasec.net/english/gs07-01.html
References :
1. CERT - Vulnerability Note VU#739224
http://www.kb.cert.org/vuls/id/739224
2. Unicode Home Page
http://unicode.org
3. Unicode.org, Halfwidth and Fullwidth Forms
http://www.unicode.org/charts/PDF/UFF00.pdf
--
Best Regards
Fatih Ozavci
IT Security Consultant