Re: Bypassing of web filters by using ASCII



On 21 Jun 2006 at 18:24, Paul wrote:

Very interesting, indeed. Does this work with functional characters
such as html brackets? What about html tag obfuscation (bypassing
script filters such as those in place at hotmail)?


Notice that in order for this trick to work, the charset should be explicitly set to "US-
ASCII". The default charset for HTTP text/html messages is ISO-8859-1 (From RFC 2616,
section 3.7.1: 'When no explicit charset parameter is provided by the sender, media
subtypes of the "text" type are defined to have a default charset value of "ISO-8859-1"
when received via HTTP'), which does define the high-bit values in octets. In other words,
in order to successfully exploit this, the attacker needs to control the page/message
charset. This can be done through the Content-Type header (as demonstrated in the original
post's demo URL - notice that it sends the following response header: "Content-Type:
text/html;charset=US-ASCII") or (I believe) via the META tag (using the HTTP-EQUIV
attribute).
So in order to exploit this in HTML over HTTP, the attacker needs to either add/modify the
Content-Type response header, or to add/modify the META tag in the HTML page.

-Amit


Nice find.

Paul

On 6/21/06, Fixer <fixer@xxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This also affects IE 7 Beta 2.

Did you shoot this over to Microsoft?

k.huwig@xxxxxxxxx wrote:
_______________________________________________________________________


iKu Advisory

_______________________________________________________________________


Product : Microsoft InternetExplorer 6

: various filter applications

Date : June 20th 2006

Affected versions : all

Vulnerability Type : bypassing security filters

Severity (1-10) : 10

Remote : yes

_______________________________________________________________________


0. contents


1. problem description

2. affected software

3. bug description/possible fix

4. sample code

5. workaround



1. problem description


The character set ASCII encodes every character with 7 bits. Internet

connections transmit octets with 8 bits. If the content of such a

transmission is encoded in ASCII, the most significant bit must be ignored.


Of the tested browsers Firefox 1.5, Opera 8.5 and InternetExplorer 6,

only the InternetExplorer does this correctly, the others evaluate the

bit and display the characters as if they were from the character set

ISO-8859-1. Although the behaviour of the InternetExplorer is the

correct one, this creates a security risk: the author of a web page can

set the bit on arbitraty characters without changing the look of the

page. But virus scanners and content filters see completely different

characters, so that there programs cannot detect viruses or spam.


This offers spammers and virus writers the possibility to bypass

installed spam and virus filters.



2. affected software


Only the InternetExplorer displays ASCII encoded web pages as 7 bit. We

checked several hardware router and antivirus solutions, all of which

failed to detect malicious JavaScript in manipulated web pages.



3. bug description/possible fix


It should be quite easy to close this hole within filter/scan

applications by clearing the most significant bit on ASCII encoded web

pages before analysing them.



4. sample page


At


http://www.iku-ag.de/ASCII


you can find a test page that displays a secret message. IE6 displays

the text correctly, Firefox 1.5 and Opera 8.5 display glibberish text.

This page only shows that IE6 displays ASCII-text correctly and does not

contain any content that a filter should sort out.


Updated information can be found at


http://www.iku-ag.de/sicherheit/ascii-eng.jsp



5. workaround


There is no workaround know to us.

--

Kurt Huwig iKu Systemhaus AG http://www.iku-ag.de/ Vorstand Am Römerkastell 4 Telefon 0681/96751-0 66121 Saarbrücken Telefax 0681/96751-66 GnuPG 1024D/99DD9468 64B1 0C5B 82BC E16E 8940 EB6D 4C32 F908 99DD 9468


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRJmo5wt0Y4479LtgAQJ6/gf9HiQlg8HcteEKECisR3x0sWH0hptcr9De
aaaQMJkTvnlwtTKTnrIe7TdZaeAKPNnsh6VMyS5zaOPqnwFfjKjmRK21Ml6m0wLB
fKR8XQM+xO9hdNSO7wvjFJC8/NuDhts3M6hKiUHcOqOEEmWH+jll1OchiDTG3AB3
9vAIH1WuYH101gOwt9RSYD3kjujQjro+RQWj5eez42MZEn7k/Fl69XtaVbjMb16M
Ud99mpk45JKUWUOuSXXT5VEQJI95M+9Oe7IZmchI89hCDtD6Q38tBGo8nrBweld8
/WFdI5v1YStONnJS1mB1zeGmn1nyXiRRN+2KDaNYc0rld6v1He6SpA==
=fAiX
-----END PGP SIGNATURE-----




Relevant Pages

  • Re: Bypassing of web filters by using ASCII
    ... JavaScript in IE, without using open or close angle brackets. ... Vulnerability Type: bypassing security filters ... The character set ASCII encodes every character with 7 bits. ... Of the tested browsers Firefox 1.5, Opera 8.5 and InternetExplorer 6, ...
    (Bugtraq)
  • Re: Bypassing of web filters by using ASCII
    ... The character set ASCII encodes every character with 7 bits. ... Of the tested browsers Firefox 1.5, Opera 8.5 and InternetExplorer 6, ... But virus scanners and content filters see completely different ... Only the InternetExplorer displays ASCII encoded web pages as 7 bit. ...
    (Bugtraq)
  • Bypassing of web filters by using ASCII
    ... The character set ASCII encodes every character with 7 bits. ... Of the tested browsers Firefox 1.5, Opera 8.5 and InternetExplorer 6, ... But virus scanners and content filters see completely different ... Only the InternetExplorer displays ASCII encoded web pages as 7 bit. ...
    (Bugtraq)
  • Re: Inline Pipeline Filter/lambda
    ... how about a different 1 character for in-line filters? ... You can try this out using aliases. ... set-alias % foreach-object ...
    (microsoft.public.windows.server.scripting)
  • [Full-disclosure] Vulnerabilities in kses-based HTML filters
    ... Vulnerabilities in kses-based HTML filters ... based on kses are part of many popular projects, including WordPress, ... This vulnerability is caused by unsafe preg_replacewith "e" modifier ...
    (Full-Disclosure)