Re: [Full-disclosure] [WEB SECURITY] noise about full-width encoding bypass?

From: Amit Klein <aksecurity_at_nospam>
Date: Tue May 22 2007 - 17:08:03 GMT
To: Brian Eaton <eaton.lists@gmail.com>

Brian Eaton wrote:
> Has anyone had a look at the full-width unicode encoding trick
> discussed here?
>
> http://www.kb.cert.org/vuls/id/739224
>

BTW - why is this news? it has been known for long:

The trick at large was discussed in "IDS Evasion with Unicode" (by Eric Hacker) which dates back to 2001
(http://www.securityfocus.com/infocus/1232): <http://www.securityfocus.com/infocus/1232>

Another way that Unicode can cause problems is that the application or operation system can assign the same interpretation to different code points. Thus, even though the Unicode specification dictates that the code points should be treated differently, the application actually treats them the same.

I tested IIS on Windows 2000 Advanced Server (English) and found that it was very good at exhibiting this behavior. For example, here is a list of the various code points that resolved to the capital letter "A": U+0041, U+0100, U+0102, U+0104, U+01CD, U+01DE, U+8721.

And the full-width Unicode range and its applicability to bypassing a specific security mechanism (ASP.NET's XSS protection and Request Validation mechanisms) was explicitly discussed in a post to BugTraq titled "XSS vulnerabilty in ASP.Net [with details] <http://www.securityfocus.com/archive/1/390751/30/0/threaded>" by Andrey Rusyaev which dates back to 2005
(http://www.securityfocus.com/archive/1/390751):

In specific conditions the cross-site scripting attack (XSS) [1] are possible on web site under management ASP.Net, because used a wrong filtration of special HTML characters. Attack exploits vulnerability of mechanism of converting Unicode strings [2] to national ASCII codepages. The basic problem arises from the lack of a filtration of special HTML characters in range U+ff00-U+ff60 (fullwidth ASCII characters [3]).

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

This message: [ Message body ]
Next message: Arian J. Evans: "Re: [Full-disclosure] [WEB SECURITY] noise about full-width encoding bypass?"
Previous message: Brian Eaton: "Re: [Full-disclosure] [WEB SECURITY] Re: noise about full-width encoding bypass?"
In reply to: Brian Eaton: "[Full-disclosure] noise about full-width encoding bypass?"
Next in thread: Arian J. Evans: "Re: [Full-disclosure] [WEB SECURITY] noise about full-width encoding bypass?"
Reply: Arian J. Evans: "Re: [Full-disclosure] [WEB SECURITY] noise about full-width encoding bypass?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]