Published: 2007-05-15,
Last Updated: 2007-05-15 20:47:31 UTC
by John Bambenek (Version: 1)
The US-Cert has a vulnerability note out that describes how Full-Width
and Half-Width Unicode encoding manages to bypass many HTTP content
scanning engines (739224). This would allow remote attackers to hide
malicious HTTP traffic by encoding it and have it slip happily past your
IDS/IPS. This isn't an exploit itself, but allows exploits that would
normally be detected (or blocked) to get through your IDS/IPS
undetected. The only vendor who has a verified vulnarability to this is
Cisco who has their own advisory out. However, many vendors have either
not responded or not verified whether their software is vulnerable to
this... including desktop anti-virus software. The vulnerability has
been known since April 16th (apparently) and was made public yesterday.
UPDATE: 3:45 pm CDT, 5/15/07 - Tipping Point has confirmed they are
vulnerable as well.
--
John Bambenek - bambenek /at/ gmail (dot) com
University of Illinois - Urbana-Champaign
