Slashdot Mirror
Unicode Encoding Flaw Widespread
LordNikon writes "According to this CERT advisory: 'Full-width and half-width encoding is a technique for encoding Unicode characters. Various HTTP content scanning systems fail to properly scan full-width/half-width Unicode encoded HTTP traffic. By sending specially-crafted HTTP traffic to a vulnerable content scanning system, an attacker may be able to bypass that content scanning system.' A proof of concept affecting IIS is already being posted to security mailing lists. Cisco IPS and other IDS products are also affected." The CERT advisory lists 93 systems, with 6 reported as vulnerable (including 3com, Cisco, and Snort), 5 known not vulnerable (including Apple and HP), and the rest unknown.
This appears to be limited to content scanning, and isn't really a vulnerability in itself. Relying on content scanning to prevent an exploit to reach an exploitable system is a pretty bad idea, much better to fix the system than the extra layer of defense on the outside.
Content scanning is mostly useful against filtering known exploits, and is hardly meant to be your primary defense. Being able to bypass this scanning won't buy you much. If the content scanner is aware of an exploit it scans for, chances are so are the systems being targeted and are patched to protect against it.
I.O.U One Sig.
Quick! Claim the $16,000! http://it.slashdot.org/article.pl?sid=07/05/18/189 208
"It's very hard to exploit [those listed applications]," Aitel said. "IIS 6 hasn't had a public remotely exploitable bug in it. Ever."
Doh!
I work incident response in a large web company (hence anonymous posting, natch) and currently we're treating this as "interesting, but case not proven". We test our web apps filter all input so I'm adding double-width unicode to our security regression test cases; however I'm happy to let the FD posters lab it out between them in the short term. These alleged IIS exploits don't work for us - which is not to say that we don't have some system, somewhere, for which this is an issue. At the end of the day it's just a clear restatement of something that's obvious to anyone - you need to filter input carefully, and you need to be aware of issues around alternative encodings. But it's not a "BRB" (big-red-button, ie emergency stop and all hands to the pumps to fix a vulnerability) issue for us - yet. The last time we had one of those, it was the Microsoft DNS server remote root... because most of our internal domain controllers were also running DNS servers.
Who needs Unicode anyway? ASCII is good enough for most civilized people. If you can't sufficiently Romanize your language, maybe it's time to just let it die?
According to the advisory, Apple products do not provide HTTP content filtering and are therefore not vulnerable. This will do nothing to help someone build a functioning protection system.
$-$
They've been trying to sell this kind of kit to us for years.
Quack, quack.
What did Apple and HP get right?
Obsolete, obscure, open source, in house?
Domestic spying is now "Benign Information Gathering"
will someone please explain to a non security guy why this list is so empty. it seems to me that this should be easy to test for in every IDS type software. I could see more exotic equipment like alcatel being untested yet but it seems there should be enough accessibility of d-link and fedora for example that they should be tested by now. I'd personally test them myself when I got home from work if I knew enough to be able to attempt the exploit.
thats right, I rarely use capitals. deal with it. but don't mistake my laziness for stupidity
I'm wondering if the great firewalls (Cisco product?) are also vulnerable to this. At least it'll force them to do longer string matching.
I wonder how much of this vulnerability has to do with the C programming language's lack of Unicode support...
That Unicode is a very bad idea in all semantics carrying containers is nothing new. In fact one of the counterarguments to Unicode ist that it is a nightmare to secure. Filter evasion was expected to be a typical security concern. We will see more of this and all only because some people want features without ever reflecting on what problems they might cause.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The English alphabet is quite small, small enough that we can waste encoding space on every character twice (upper and lower case). I dunno about Arabic, but the Chinese alphabet is quite a bit larger, even if you only encode unique strokes. To answer your question, yes the English is fundamentally simpler to work with for a computer.
If you want to represent a language on a computer (and not just numbers) then you need a way to enter and store all the characters that language uses. Obviously the less characters the better. The latin alphabet with all its variations, the cyrillic , hebrew, arabic & korean all lend themselves to this quite easily since they all have a manageable number of letters. Languages such as Chinese and Japanese don't , they don't even use alpabets , they use characters for each object/concept which as you can imagine is a bugger when you need a keyboard of a manageable size not to mention the memory to store each character bitmap (not an issue now , but 40 years ago it would have been a nightmare).
This is only a guess on my part but I suspect computers would have developed completely differently if they'd been developed by a culture that used symbols rather than alphabets.
In Soviet Russia, Ron Paul is for regulating software security!
Wait.
That made no sense.
And this isn't an article about Ron Paul for President..
But, hey.. This comment is likely just about as relevant to the article, as the rest of them.
Maybe more so.
I'm not Ron Paul, and I don't approve this message.
4) You are an idiot
5) You are an asshole
It is a vulnerability, in the strict sense.
...
It is a self-inflicted misbehaviour as in common sense.
It is like those silly Cisco content inspectors on port 25, that try to avoid attacks on flimsy MTAs.
It is like someone dying from a jab against measles: the jab protected that person from contracting measles, actually.
It is like those stupid anti-virus programs that are more vulnerable than the daemons they profess to protect.
When the attacker uses a codepage different from the one that you think she ought to use, she can circumvent your content filter. Which ought not be an attack vector, in any case.
As I said: nothing to see, move along
1) unicode is better than having a hundred other encodes to debug
2)there's is nearly two billion chinese and Indians, who can't use your encoding.
3)I get just as much spam from US companies as I do foreign ones
i thought once I was found, but it was only a dream.
The linked "proof of concept" is an example of how to encode a "q" letter. It is a perfectly legal coding and it is correctly converted by IIS/ASP.
Microsoft is not listed as having any product affected by this "vulnerability". They are listed as "unknow".
This affects content filtering systems (such as naive firewalls) which relies on byte-for-byte comparison to filter out unwanted content.
What kind of a flawed design is it where character encoding can impact security. The concept of scanning for unsafe strings is also flawed as in the case of virus scanning, as it only know about the stuff it knows about. This is another example of Ranums enumerating badness. If the SQL engine used only stored procedures then you wouldn't have to run a content scanner as the only thing coming over HTTP is DATA.
davecb5620@gmail.com
Back in the Win95 days, I recall a stupid little exploit that would lock up a Win95 machine. The root of the problem, however, was in the TCP/IP code from BSD's source. Microsoft had used BSD's TCP/IP stack code in building one for Win95. I'm not here to complain that big bad commercial vendors are "stealing" from the open source community. I'm just suggesting that perhaps this is yet another example of how OSS has made yet another important, thought silent, contribution.
It's annoying to me when people suggest that OSS is sub-par in some way or another. It would be nice if there were a long list somewhere of all the more commonly identified examples of OSS contibutions to commercial code. Then it can be more conveniently shown that commercial code quite often depends on the derided OSS code.
Grandparent is correct; what these Floridans send doesn't qualify as English.
"I Know You Are But What Am I?"
No, it's not.
'Back in the Win95 days, I recall a stupid little exploit that would lock up a Win95 machine. The root of the problem, however, was in the TCP/IP code from BSD's source'
I assume you are referring to the ping of death. The root cause being a bug in the TCP protocol and occured on other platforms not using the BSD code.
was Another likely example of OSS?
davecb5620@gmail.com
In Disney's 1994 film The Santa Clause , an elven character named Bernard (David Krumholtz), who accents his name on the last syllable, explains some of the basic rules to Santa. I've never heard "Bernard" pronounced any other way.
Otherwise, I agree with your post.
chinese and other asian people can't use Unicode : lots of characters are missing.
now those utf-8 zealots will tell you stupid things like "who cares, chinese really use about only 10k chars and those are in utf-8, the other 40k or 70k are not used daily by those people, so utf-8 is still ok right ?"
well no, it defeats the whole purpose of Unicode. if you think its ok, then why should west-europeans and americans/canadians/australians CARE about non-ISO-8859-1 chars ?
Composing the stokes are not difficult. No it it's not. It's the character encoding that's troublesome. Har har.
Oh, and there are still a good number of stokes, some that aren't supported by common setups even today. And complaining about it being called an alphabet is the same as being anal.
After reading through this carefully, it seems the fault is really with the webserver software (in this case, IIS). The problem is that normally a full-width character (such as FF1C in the example) and the regular character "<" are not equivalent, but IIS is translating the full-width form of a character into the regular character, so although the two forms were distinct before reaching the frontline filters, they are no longer distinct by the time it reaches application code running under IIS.
I guess whether you call this a fault depends on whether you think the webserver should be translating full-width characters to their equivalents. I tested a webpage, and both IE and FF do not consider "<" and "\uFF1C" (encoded in UTF-8) to be equivalent. The latter is displayed as a giant angle bracket, and does not work as the start of an HTML tag. I would think that the webserver should also respect this distinction. Anyone know more about full-width characters, or why they even exist?
"No one likes working in a hamster wheel, and your shop smells of cedar shavings from here." - TaleSpinner
Great reply, thank you. I haven't used Windows for a few years, but it's good to keep up with this kind of thing, and I'm sure others can benefit from this information.
I am TheRaven on Soylent News
So how long til we find out that there has been exploitation of this vulnerability for X number of months for the sole purpose of stealing our WoW accounts!!!
Why steal someone's real identity when you can steal their uber virtual Undead Priest identity and sell it for 16 bucks.
News Reporters Make Tasty Polar Bear Treats!
Am I the only one who has noticed that since CERT partnered with the US Government, the response time on advisories has been much slower, and the details and depth of reports are less comprehensive? CERT advisories used to be a critical part of our security strategy. Now by the time the hit the mailing list (if at all), they're more of an afterthought.
Is there a better alternative to CERT now because it just isn't cutting it. I am familiar with Bugtraq and Security Focus. By the time CERT mentions something, usually it's actively exploited. It wasn't always like this but now the service isn't nearly as helpful to administrators.
"Windows makes no distinction between privileged and unprivileged ports, so any application that can open sockets can listen on port 80. That said, every port number (and every other object in the NT kernel) has an associated ACL, so it is possible to limit them on an individual basis." - by TheRaven64 (641858) on Tuesday May 22, @06:27AM (#19218865)
/cableguy/cg0605.mspx [microsoft.com]
Programmatically, on a "per-application basis", the other respondents outlined (@ a kernel level, using NtAPI/ZwAPI calls) a method for you to explore here:
http://it.slashdot.org/comments.pl?sid=235621&cid= 19221887
Now, on this material next below?
Well, I think this might help you some as well, as to limiting ports accesses on various ports WHOLESALE (Ip stack filtering) &/or on a user-defined basis (via IP Security Policies), below after this quote of yours, next:
"I've never seen this exposed to the UI though, so I've no idea how you'd go about doing it" - by TheRaven64 (641858) on Tuesday May 22, @06:27AM (#19218865)
You have this on ports, via a GUI method as mentioned above!
There are 2 ways:
1.) Port filtering
& alternately
2.) IP Security Policies (ontop of software firewalls (which also have some control here & at the application level no less) & hardware 'firewalls').
You may find this useful (or, others may, as YOU in particular may be aware of this stuff already, one never knows, but I am mentioning it here in detail anyhow for your reference, or for that of others who use Windows NT-based OS that have these features (Windows 2000/XP/Server 2003/VISTA):
FIRST - Read this article, for background. Mainly because it shows you how to limit/unleash various ports and what drivers act on them as filters, & @ what levels in the network stack for Windows:
TCP/IP Packet Processing Paths:
http://www.microsoft.com/technet/community/columns
IpNat.sys, IpFltDrv.sys, IpSec.sys, & TcpIp.sys in Windows 2000/XP/Server 2003/VISTA each has abilities for port restrictions!
This sounds like what you guys are looking for!
The steps below are basically how to use it (implement it) for limiting access to various ports, via GUI interfaces no less, in Windows versions noted above.
All of this & the tools noted can be used for LAYERED SECURITY in this manner (port filtering, IP Security Policies, software firewalls, & hardware NAT routers (true packet stateful inspection ones, & 'ordinary' NAT units as well)!
They ALL can be used simultaneously/concurrently, in layers, per the article from MS above entitled "TCP/IP Packet Processing Paths"
IPSecurity Policies are implemented in secpol.msc (this is the most complex of the lot, and I recommend "AnalogX's" model, as it works (but, can be troublesome with filesharing tools like EMule mind you), & can be downloaded here:
ANALOGX IP SECURITY POLICY OVERVIEW/HOW TO EXPLANATION:
http://www.analogx.com/contents/articles/ipsec.htm [analogx.com]
ANALOGX IP SECURITY POLICY TEMPLATE DIRECT DOWNLOAD:
http://www.analogx.com/files/aps-ipsec.zip [analogx.com]
(You can tune AnalogX's template model as you like above & beyond its original form for apps YOU use in particular)
AnalogX's IP Security Policy provides a good template to start with!
IP PortFiltering is done here/HOW TO, STEP-by-STEP:
Start Button -> Control Panel -> Network Connections -> Local Area Connection (or whatever you called yours) -> Properties Button -> (Next Popup dialog screen) -> Highlite "Internet Pro
Yeah, but according to a business week article, 1.847 billion of those chinese and indians won't buy your software, they'll just pirate it. So fuck it, let them write their own software. They can use however many bytes per character they want. Anyway, I miss plain ASCII. Much more elegant, and you can use char buffers as buffers for binary data without dicking around with lo-byte / hi-byte nonsense.
That comes as a complete surprise to me, and I thought I knew at least a little about Unicode and other character encoding schemes. The usual methods of encoding Unicode character points are UTF-8 (variable-length scheme where characters may be represented by anything from one to six bytes), UTF-16 (fixed-width double byte encoding), UTF-32 (fixed-length 4 byte encoding), and well there's UTF-7 and other oddballs. But the closest I've ever heard of "half width" and "full width" is in connection with Asian--specifically Japanese--characters. There are Asian character sets that have "half-width" and "full-width" variants. Though this is inconsistent with the original intent of Unicode, these character variants (each pair of which are really forms of the same character that have different widths) were defined as separate Unicode characters.
Maybe everyone else knows what they're talking about, and I missed some crucial piece of information...but I don't understand how mistaking one character for another is going to break anything--you'll just have the wrong characters. Anyway, are they talking about HTML content sent via HTTP, or URLS, or what? Can anyone explain this better? Or am I not supposed to understand it?
Great men are almost always bad men--Lord Acton's Corollary
"Full-width and half-width encoding is a technique for encoding Unicode characters" No, these are not Unicode encoding techniques, whoever wrote that description has no clue. They are forms of Latin characters used in Japanese, with clear usage, and long history. You can find them in the JIS standards (Japanese Standards Association), and where used by UNIX, MS-DOS, Windows 3.x, Mac OS, long-long before Unicode was even created. The problems is not Unicode, is not even JIS, is the vendors that have no clue about international issues that exist for more than 20 years now.
No, you haven't been the only one to notice that CERT has some timeliness issues when it comes to reporting on threats. Other CERTs, such as AusCERT, have the same sort of problem - particularly when you consider their public notification data (separate from their paid-for disclosure lists). Accepting that it takes time to analyse and report information, and accepting that they are disclosing to their fee-paying / sponsoring clients first, the recorded dates of information discovery are often significantly incorrect. This particular report comes as quite a surprise to us. We had always considered that variable-width encoding was relatively well understood by InfoSec companies, especially those that provide services in multiple languages. It always seemed more self-evident than HTTP-Request/Response splitting, for example.
The timeliness same problem also affects moderated sources such as BT and the various SecFocus sources, where there can be a several day delay between initial disclosure and appearance on those sources (if not longer - one particular list has recently developed a delay of > 1 week for new posts). Plus, you always get the problem of identifying what sources are accurate and relevant (hint: the CitiBank Screencap argument is about 2 years too late).
So, where do you look for additional resources? You could always look at companies like Secunia, FrSIRT, eEye, Symantec, or McAfee, but it is possible to time threat disclosure so that there is an approx 72 hour delay before they pick up on the threat, and there is always the question of coverage - McAfee will always have a focus on virus, worm and some malware threats.
Or, you could always use our services (http://www.beskerming.com).
We have a number of established free and fee-based services that deliver timely, relevant and accurate information about current and emerging threats. They effectively cut out the irrelevant noise that is most of the massive amount of data (across a number of different information channels) that is Information Security disclosure.
We have no vendor affiliation, do not rely on sponsorship or advertising in order to deliver our services, and strive to be platform neutral when analysing and reporting on issues. We know that our services are already being used by companies to augment their Incident Response Team information sources (as well as to validate the data coming from their more expensive, less-timely data sources), and for some clients our services form the core of their security response strategies.
Why not get in touch? We're more than happy to have someone chat to you about your InfoSec needs.
InfoSec that matters, when it counts.