[NEWS] TippingPoint IPS Signature Evasion
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 11 Jul 2007 11:37:41 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
TippingPoint IPS Signature Evasion
During security analysis of the Tippingpoint IPS product a signature
evasion vulnerability was discovered. The use of specific Unicode
characters on particular web servers allows a remote user to bypass IPS
* TippingPoint IPS running TOS version 2.1
* TippingPoint IPS running TOS version 2.2.0 up to and including 2.2.4
By using a hex encoded alternate Unicode character for forward slash (/) a
request can be produced that will not match any IPS signature present in
the TippingPoint device.
http://www.test.com/scripts/cmd.exe is a known attack, and detected by a
The same URI with alternate Unicode forward slash characters are not
detected by the signature.
Web servers located behind a Tippingpoint IPS device which are capable of
decoding alternate Unicode characters can be accessed, and exploited
without triggering the IPS device.
Security-Assessment.com has been in contact with Tipping and a new version
of the Tippingpoint IPS software has been released to address the
This issue has been addressed in various TOS releases as indicated by the
affected product below.
- X-Family devices, 126.96.36.19982.
- non-X-Family device (not including 600E, 1200E, 2400E or 5000E),
- non-X-Family device (including 600E, 1200E, 2400E or 5000E),
The information has been provided by
<mailto:paul.craig@xxxxxxxxxxxxxxxxxxxxxxx> Paul Craig.
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] VSAOD Server Unauthenticated Arbitrary File Overwrites
- Next by Date: [NT] Vulnerabilities in .NET Framework Allows Code Execution (MS07-040)
- Previous by thread: [NT] VSAOD Server Unauthenticated Arbitrary File Overwrites
- Next by thread: [NT] Vulnerabilities in .NET Framework Allows Code Execution (MS07-040)