Title: Detection evasion technique by invalid UTF-8 sequences
Reported By: Hiroshi Tokumaru of HASH Consulting Corp.
Impact: A remote attacker can evade detection.
Overview
========
Invalid UTF-8 sequences are ignored in ASP.NET 1.1.
This may be used for the detection evasion of IDS/IPS/WAF.
Problem 1
=========
Affected Environment:
Web sites written by ASP.NET 1.1 and using UTF-8 character encoding.
Summary:
Invalid UTF-8 sequences are ignored.
Sample script (ex1.aspx):
<%= Request.QueryString("p") %>
Input: http://hostname/ex1.aspx?p=dec%E6lare
Output: declare
Problem 2 (Reference Information)
=================================
Affected Environment:
All Web Sites written by Legacy ASP (Active Server Pages).
Summary:
Percent(%) symbols are ignored in the case of invalid
percent-encoding.
Sample script (ex2.asp):
<%= Request.QueryString("p") %>
Input: http://hostname/ex2.asp?p=dec%lare
Output: declare
This problem was reported by LAC Corporation on Oct. 2, 2008.
http://www.lac.co.jp/info/rrics_report/csl20081002.html (Japanese)
Influence
=========
Detection by IDS/IPS/WAF(Web Application Firewall) is evaded by
inserting invalid UTF-8 sequences on the way of SQL keywords(select,
union, declare and so on).
Solution and Workaround
=======================
* Considering Character encoding on detecting by IDS/IPS/WAF.
* Migration to ASP.NET 2.0
The 1st problem is resolved in ASP.NET 2.0.
* Fixing Vulnerabilities.
Credit
======
This vulnerability was reported by Hiroshi Tokumaru of
HASH Consulting Corporation(http://www.hash-c.co.jp/).
Contact
=======
secuinfo (at) hash-c (dot) co (dot) jp [email concealed]
http://www.tokumaru.org/d/ (Hiroshi Tokumaru Personal Blog)
