|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
IDS: bypassing IDS with half of full width characters
Synthesis of the vulnerability
An attacker can use half or full width Unicode characters in order to bypass several IDS.
Impacted systems: VPN-1, ASA, IOS by Cisco, Cisco IPS, Cisco Router, TippingPoint IPS, Snort, StoneGate IPS.
Severity of this alert: 2/4.
Consequences of an intrusion: data flow.
Pirate's origin: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 15/05/2007.
Revisions dates: 16/05/2007, 22/05/2007.
Références of this alert: 3COM-07-001, 91767, BID-23980, cisco-sr-20070514-unicode, CSCsi58602, CSCsi67763, CSCsi91487, CVE-2007-2688, CVE-2007-2689, CVE-2007-2734, CVE-2007-5793, GS07-01, VIGILANCE-VUL-6815, VU#739224.
Description of the vulnerability
Unicode character tables contain characters with similar displays. For example:
- the 'à' character can be encoded U+00E0, or 'a' followed by the '`' combining diacritical (U+0061-U+0300)
- the 'ff' string can be encoded U+0066-U+0066, or using the U+FB00 ligature
- the 'a' character can be encoded U+0061, or using the full-width U+FF41 character (full-width characters have a fixed width, like typing machines ; full-width characters are mainly used as aliases for ASCII-127 characters ; half-width characters are mainly used for simplified Asian characters)
Some software automatically convert characters with a similar display. For example, PHP and ASP.NET convert full-width characters to ASCII-127 characters.
Some IPS/IPS not correctly handle half-width nor full-width characters.
An attacker can therefore use these characters to bypass the IDS.
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides computer vulnerability analysis. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The technology watch team tracks security threats targeting the computer system.