Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Security | DShield SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Full-Width/Half-Width Unicode Bypasses HTTP Scanning
The US-Cert has a vulnerability note out that describes how Full-Width and Half-Width Unicode encoding manages to bypass many HTTP content scanning engines (739224). This would allow remote attackers to hide malicious HTTP traffic by encoding it and have it slip happily past your IDS/IPS. This isn't an exploit itself, but allows exploits that would normally be detected (or blocked) to get through your IDS/IPS undetected. The only vendor who has a verified vulnarability to this is Cisco who has their own advisory out. However, many vendors have either not responded or not verified whether their software is vulnerable to this... including desktop anti-virus software. The vulnerability has been known since April 16th (apparently) and was made public yesterday.

UPDATE: 3:45 pm CDT, 5/15/07 - Tipping Point has confirmed they are vulnerable as well.

John Bambenek - bambenek /at/ gmail (dot) com
University of Illinois - Urbana-Champaign

262 Posts
ISC Handler
May 15th 2007

Sign Up for Free or Log In to start participating in the conversation!