lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 22 May 2007 19:08:03 +0200
From: Amit Klein <aksecurity@...il.com>
To: Brian Eaton <eaton.lists@...il.com>
Cc: Full-Disclosure <full-disclosure@...ts.grok.org.uk>,
	Web Security <websecurity@...appsec.org>
Subject: Re: [WEB SECURITY] noise about full-width
	encoding bypass?

Brian Eaton wrote:
> Has anyone had a look at the full-width unicode encoding trick 
> discussed here?
>
> http://www.kb.cert.org/vuls/id/739224
>

BTW - why is this news? it has been known for long:

The trick at large was discussed in "IDS Evasion with Unicode" (by Eric 
Hacker) which dates back to 2001 
(http://www.securityfocus.com/infocus/1232): 
<http://www.securityfocus.com/infocus/1232>

Another way that Unicode can cause problems is that the application or 
operation system can assign the same interpretation to different code 
points. Thus, even though the Unicode specification dictates that the 
code points should be treated differently, the application actually 
treats them the same.

I tested IIS on Windows 2000 Advanced Server (English) and found that it 
was very good at exhibiting this behavior. For example, here is a list 
of the various code points that resolved to the capital letter "A": 
U+0041, U+0100, U+0102, U+0104, U+01CD, U+01DE, U+8721.


And the full-width Unicode range and its applicability to bypassing a 
specific security mechanism (ASP.NET's XSS protection and Request 
Validation mechanisms) was explicitly discussed in a post to BugTraq 
titled "XSS vulnerabilty in ASP.Net [with details] 
<http://www.securityfocus.com/archive/1/390751/30/0/threaded>" by Andrey 
Rusyaev which dates back to 2005 
(http://www.securityfocus.com/archive/1/390751):

In specific conditions the cross-site scripting attack (XSS) [1] are 
possible on web site under management ASP.Net, because used a wrong 
filtration of special HTML characters. Attack exploits vulnerability of 
mechanism of converting Unicode strings [2] to national ASCII codepages. 
The basic problem arises from the lack of a filtration of special HTML 
characters in range U+ff00-U+ff60 (fullwidth ASCII characters [3]).


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ