The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of IDS: bypassing IDS with half of full width characters

Synthesis of the vulnerability 

An attacker can use half or full width Unicode characters in order to bypass several IDS.
Impacted systems: VPN-1, ASA, IOS by Cisco, Cisco IPS, Cisco Router, TippingPoint IPS, Snort, StoneGate IPS.
Severity of this alert: 2/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 15/05/2007.
Revisions dates: 16/05/2007, 22/05/2007.
Références of this alert: 3COM-07-001, 91767, BID-23980, cisco-sr-20070514-unicode, CSCsi58602, CSCsi67763, CSCsi91487, CVE-2007-2688, CVE-2007-2689, CVE-2007-2734, CVE-2007-5793, GS07-01, VIGILANCE-VUL-6815, VU#739224.

Description of the vulnerability 

Unicode character tables contain characters with similar displays. For example:
 - the 'à' character can be encoded U+00E0, or 'a' followed by the '`' combining diacritical (U+0061-U+0300)
 - the 'ff' string can be encoded U+0066-U+0066, or using the U+FB00 ligature
 - the 'a' character can be encoded U+0061, or using the full-width U+FF41 character (full-width characters have a fixed width, like typing machines ; full-width characters are mainly used as aliases for ASCII-127 characters ; half-width characters are mainly used for simplified Asian characters)

Some software automatically convert characters with a similar display. For example, PHP and ASP.NET convert full-width characters to ASCII-127 characters.

Some IPS/IPS not correctly handle half-width nor full-width characters.

An attacker can therefore use these characters to bypass the IDS.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity announce impacts software or systems such as VPN-1, ASA, IOS by Cisco, Cisco IPS, Cisco Router, TippingPoint IPS, Snort, StoneGate IPS.

Our Vigil@nce team determined that the severity of this threat alert is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

This bulletin is about 4 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a specialist ability can exploit this computer weakness alert.

Solutions for this threat 

Cisco: solution for IPS.
Cisco's notes indicate proposed solutions.

Snort: version 2.6.1.5.
Version 2.6.1.5 is corrected:
  http://snort.org/dl/

StoneGate IPS: version 4.0.
Version 4.0 and later detect these attacks.

TippingPoint IPS: DV 7287.
Digital Vaccine 7287 is corrected.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a networks vulnerabilities bulletin. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.