Re: Bypassing of web filters by using ASCII

To: k.huwig@xxxxxxxxx
Subject: Re: Bypassing of web filters by using ASCII
From: Paul <pvnick@xxxxxxxxx>
Date: Wed, 21 Jun 2006 18:24:16 -0400
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Ixo4NRVaomo1/7XlAWmdRYlf2IFYW5ShSVRk53cagj4W3j/eedje1adsKDI41q0f8cIwRu3ZmqGzYpsjlHY4kPQwzm9d6gi02XTdi34iLmu3jXBmGrGVDunL/l8UFN2Ih3siDejrgttbfxeEYRjVdThLy2cN34blckK3TgY8q1I=
In-reply-to: <4499A8E7.9020906@xxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20060621131118.23987.qmail@xxxxxxxxxxxxxxxxx> <4499A8E7.9020906@xxxxxxx>

Very interesting, indeed. Does this work with functional characters
such as html brackets? What about html tag obfuscation (bypassing
script filters such as those in place at hotmail)?

Nice find.

Paul

On 6/21/06, Fixer <fixer@xxxxxxx> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This also affects IE 7 Beta 2.

Did you shoot this over to Microsoft?

k.huwig@xxxxxxxxx wrote:
> _______________________________________________________________________
>
>
>                            iKu Advisory
>
> _______________________________________________________________________
>
>
> Product               : Microsoft InternetExplorer 6
>
>                       : various filter applications
>
> Date                  : June 20th 2006
>
> Affected versions     : all
>
> Vulnerability Type    : bypassing security filters
>
> Severity (1-10)       : 10
>
> Remote                : yes
>
> _______________________________________________________________________
>
>
> 0. contents
>
>
>   1. problem description
>
>   2. affected software
>
>   3. bug description/possible fix
>
>   4. sample code
>
>   5. workaround
>
>
>
> 1. problem description
>
>
> The character set ASCII encodes every character with 7 bits. Internet
>
> connections transmit octets with 8 bits. If the content of such a
>
> transmission is encoded in ASCII, the most significant bit must be ignored.
>
>
> Of the tested browsers Firefox 1.5, Opera 8.5 and InternetExplorer 6,
>
> only the InternetExplorer does this correctly, the others evaluate the
>
> bit and display the characters as if they were from the character set
>
> ISO-8859-1. Although the behaviour of the InternetExplorer is the
>
> correct one, this creates a security risk: the author of a web page can
>
> set the bit on arbitraty characters without changing the look of the
>
> page. But virus scanners and content filters see completely different
>
> characters, so that there programs cannot detect viruses or spam.
>
>
> This offers spammers and virus writers the possibility to bypass
>
> installed spam and virus filters.
>
>
>
> 2. affected software
>
>
> Only the InternetExplorer displays ASCII encoded web pages as 7 bit. We
>
> checked several hardware router and antivirus solutions, all of which
>
> failed to detect malicious JavaScript in manipulated web pages.
>
>
>
> 3. bug description/possible fix
>
>
> It should be quite easy to close this hole within filter/scan
>
> applications by clearing the most significant bit on ASCII encoded web
>
> pages before analysing them.
>
>
>
> 4. sample page
>
>
> At
>
>
>       http://www.iku-ag.de/ASCII
>
>
> you can find a test page that displays a secret message. IE6 displays
>
> the text correctly, Firefox 1.5 and Opera 8.5 display glibberish text.
>
> This page only shows that IE6 displays ASCII-text correctly and does not
>
> contain any content that a filter should sort out.
>
>
> Updated information can be found at
>
>
>       http://www.iku-ag.de/sicherheit/ascii-eng.jsp
>
>
>
> 5. workaround
>
>
> There is no workaround know to us.
>
> --
>
> Kurt Huwig iKu Systemhaus AG http://www.iku-ag.de/ Vorstand Am Römerkastell 4 
Telefon 0681/96751-0 66121 Saarbrücken Telefax 0681/96751-66 GnuPG 1024D/99DD9468 64B1 
0C5B 82BC E16E 8940 EB6D 4C32 F908 99DD 9468
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRJmo5wt0Y4479LtgAQJ6/gf9HiQlg8HcteEKECisR3x0sWH0hptcr9De
aaaQMJkTvnlwtTKTnrIe7TdZaeAKPNnsh6VMyS5zaOPqnwFfjKjmRK21Ml6m0wLB
fKR8XQM+xO9hdNSO7wvjFJC8/NuDhts3M6hKiUHcOqOEEmWH+jll1OchiDTG3AB3
9vAIH1WuYH101gOwt9RSYD3kjujQjro+RQWj5eez42MZEn7k/Fl69XtaVbjMb16M
Ud99mpk45JKUWUOuSXXT5VEQJI95M+9Oe7IZmchI89hCDtD6Q38tBGo8nrBweld8
/WFdI5v1YStONnJS1mB1zeGmn1nyXiRRN+2KDaNYc0rld6v1He6SpA==
=fAiX
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Bypassing of web filters by using ASCII
  - From: Thor (Hammer of God)
- Re: Bypassing of web filters by using ASCII
  - From: Amit Klein (AKsecurity)
- Re: Bypassing of web filters by using ASCII
  - From: Kurt Huwig

References:
- Bypassing of web filters by using ASCII
  - From: k . huwig
- Re: Bypassing of web filters by using ASCII
  - From: Fixer

Prev by Date: Somechess v1.5 rc1 - XSS
Next by Date: [ MDKSA-2006:109 ] - Updated wv2 packages fix vulnerability
Previous by thread: Re: Bypassing of web filters by using ASCII
Next by thread: Re: Bypassing of web filters by using ASCII
Index(es):
- Date
- Thread