Full-Width/Half-Width Unicode Bypasses HTTP Scanning

Common Tasks

Community

Email Notifications

Personal Links

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Based on CERT, ISC, and other warnings below, the capability for security software to interrogate embedded Unicode characters in HTTP requests could be a serious exposure that needs to be patched by several vendors? So far, there are no known in-the-wild attacks:

Full-Width/Half-Width Unicode Bypasses HTTP Scanning
http://www.kb.cert.org/vuls/id/739224
http://isc.sans.org/diary.html?storyid=2807
http://www.gamasec.net/english/gs07-01.html
http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml
http://www.frsirt.com/english/advisories/2007/1803
http://secunia.com/advisories/25285/

What is Unicode?
http://www.unicode.org/standard/WhatIsUnicode.html

QUOTE: The US-Cert has a vulnerability note out that describes how Full-Width and Half-Width Unicode encoding manages to bypass many HTTP content scanning engines (739224). This would allow remote attackers to hide malicious HTTP traffic by encoding it and have it slip happily past your IDS/IPS. This isn't an exploit itself, but allows exploits that would normally be detected (or blocked) to get through your IDS/IPS undetected.

Posted: May 15 2007, 09:57 PM by Harry Waldron | with no comments

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.