HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2007-24
Full-Width/Half-Width Unicode Bypasses HTTP content Scanning

Original issue date: May 16, 2007

Severity Rating: High

Systems Affected

  • Applications and Systems using “HTTP content scanning” like IDS / IPS

Overview

A vulnerable HTTP content scanning system may bypass application security controls or fail to properly scan the specially-crafted HTTP traffic encoded with full-width/half-width Unicode encoding.

Description

Unicode is an industry standard designed to allow text and symbols from all of the writing systems of the world to be consistently represented and manipulated by computers. Full-width or half-width is an encoding technique for Unicode characters. HTTP Content Scanning Systems have a pre-processor to decode various forms of HTTP encoded requests such as UTF encoding for attack signature analysis.

This isn't an exploit itself, but allows exploits to get through IDS / IPS or HTTP content scanning systems undetected that would normally be detected (or blocked).

By encoding exploit code using a full-width or half-width Unicode character set, an attacker can evade detection by HTTP content scanning used by systems like IDS / IPS or firewall and can bypass relevant application security controls, which may allow the attacker to covertly scan and attack systems normally protected by these systems.

It may be noted that most of the HTTP content scanning systems currently available may be vulnerable to this issue. Some of the vendors have already confirmed that their products are affected by this issue. Refer to “References” section for details.

Solution

Users are advised to contact their respective vendors for solution or workarounds.

References

http://isc.sans.org/diary.html?storyid=2807 http://www.kb.cert.org/vuls/id/739224 http://www.gamasec.net/english/gs07-01.html http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml
http://www.3com.com/securityalert/alerts/3COM-07-001.html

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003