lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060621131118.23987.qmail@securityfocus.com>
Date: 21 Jun 2006 13:11:18 -0000
From: k.huwig@...-ag.de
To: bugtraq@...urityfocus.com
Subject: Bypassing of web filters by using ASCII


_______________________________________________________________________

                           iKu Advisory
_______________________________________________________________________

Product               : Microsoft InternetExplorer 6
                      : various filter applications
Date                  : June 20th 2006
Affected versions     : all
Vulnerability Type    : bypassing security filters
Severity (1-10)       : 10
Remote                : yes
_______________________________________________________________________

0. contents

  1. problem description
  2. affected software
  3. bug description/possible fix
  4. sample code
  5. workaround


1. problem description

The character set ASCII encodes every character with 7 bits. Internet
connections transmit octets with 8 bits. If the content of such a
transmission is encoded in ASCII, the most significant bit must be ignored.

Of the tested browsers Firefox 1.5, Opera 8.5 and InternetExplorer 6,
only the InternetExplorer does this correctly, the others evaluate the
bit and display the characters as if they were from the character set
ISO-8859-1. Although the behaviour of the InternetExplorer is the
correct one, this creates a security risk: the author of a web page can
set the bit on arbitraty characters without changing the look of the
page. But virus scanners and content filters see completely different
characters, so that there programs cannot detect viruses or spam.

This offers spammers and virus writers the possibility to bypass
installed spam and virus filters.


2. affected software

Only the InternetExplorer displays ASCII encoded web pages as 7 bit. We
checked several hardware router and antivirus solutions, all of which
failed to detect malicious JavaScript in manipulated web pages.


3. bug description/possible fix

It should be quite easy to close this hole within filter/scan
applications by clearing the most significant bit on ASCII encoded web
pages before analysing them.


4. sample page

At

	http://www.iku-ag.de/ASCII

you can find a test page that displays a secret message. IE6 displays
the text correctly, Firefox 1.5 and Opera 8.5 display glibberish text.
This page only shows that IE6 displays ASCII-text correctly and does not
contain any content that a filter should sort out.

Updated information can be found at

	http://www.iku-ag.de/sicherheit/ascii-eng.jsp


5. workaround

There is no workaround know to us.
--
Kurt Huwig iKu Systemhaus AG http://www.iku-ag.de/ Vorstand Am Römerkastell 4 Telefon 0681/96751-0 66121 Saarbrücken Telefax 0681/96751-66 GnuPG 1024D/99DD9468 64B1 0C5B 82BC E16E 8940 EB6D 4C32 F908 99DD 9468 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ