[NEWS] TippingPoint IPS Signature Evasion



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



TippingPoint IPS Signature Evasion
------------------------------------------------------------------------


SUMMARY

During security analysis of the Tippingpoint IPS product a signature
evasion vulnerability was discovered. The use of specific Unicode
characters on particular web servers allows a remote user to bypass IPS
detection.

DETAILS

Vulnerable Systems:
* TippingPoint IPS running TOS version 2.1
* TippingPoint IPS running TOS version 2.2.0 up to and including 2.2.4

By using a hex encoded alternate Unicode character for forward slash (/) a
request can be produced that will not match any IPS signature present in
the TippingPoint device.

Example:
http://www.test.com/scripts/cmd.exe is a known attack, and detected by a
signature.

The same URI with alternate Unicode forward slash characters are not
detected by the signature.
http://www.test.com/scripts%c0%afcmd.exe
http://www.test.com/scripts%e0%80%afcmd.exe
http://www.test.com/scripts%c1%9ccmd.exe

Web servers located behind a Tippingpoint IPS device which are capable of
decoding alternate Unicode characters can be accessed, and exploited
without triggering the IPS device.

Solutions:
Security-Assessment.com has been in contact with Tipping and a new version
of the Tippingpoint IPS software has been released to address the
discovered vulnerability:
<http://www.3com.com/securityalert/alerts/3COM-07-003.html>
http://www.3com.com/securityalert/alerts/3COM-07-003.html

This issue has been addressed in various TOS releases as indicated by the
affected product below.
- X-Family devices, 2.5.0.6682.
- non-X-Family device (not including 600E, 1200E, 2400E or 5000E),
2.5.1.6826.
- non-X-Family device (including 600E, 1200E, 2400E or 5000E),
2.5.2.6919.


ADDITIONAL INFORMATION

The information has been provided by
<mailto:paul.craig@xxxxxxxxxxxxxxxxxxxxxxx> Paul Craig.
The original article can be found at:
<http://security-assessment.com/files/advisories/2007-07-11_Tippingpoint_IPS_Signature_Evasion.pdf> http://security-assessment.com/files/advisories/2007-07-11_Tippingpoint_IPS_Signature_Evasion.pdf



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [Full-disclosure] TippingPoint IPS Signature Evasion
    ... During security analysis of the Tippingpoint IPS product a signature ... Web servers located behind a Tippingpoint IPS device which are capable ... Security consultants specialising in providing high quality Information ...
    (Full-Disclosure)
  • TippingPoint IPS Signature Evasion
    ... During security analysis of the Tippingpoint IPS product a signature ... Web servers located behind a Tippingpoint IPS device which are capable ... Security consultants specialising in providing high quality Information ...
    (Bugtraq)
  • [NEWS] Cisco Intrusion Prevention System Malformed Packet Denial of Service
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... an IPS device to operate as expected. ... inaccessible remotely or via the console and stop processing packets. ... Intel-based gigabit network adapter configured for use as a sensing ...
    (Securiteam)
  • [UNIX] Vulnerability in OpenCA Signature Verification
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... OpenCA Project is "an open organization aimed to ... This means that a certificate from another PKI can authorize ... operations on the used PKI if the chain of the used signature certificate ...
    (Securiteam)
  • [UNIX] LibTomCrypt Weak Signature Scheme
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... chaining modes, pseudo-random number generators, public key cryptography ... LibTomCrypt by the author within the signature scheme used with the ...
    (Securiteam)