- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
TippingPoint IPS Signature Evasion
------------------------------------------------------------------------
SUMMARY
During security analysis of the Tippingpoint IPS product a signature
evasion vulnerability was discovered. The use of specific Unicode
characters on particular web servers allows a remote user to bypass IPS
detection.
DETAILS
Vulnerable Systems:
* TippingPoint IPS running TOS version 2.1
* TippingPoint IPS running TOS version 2.2.0 up to and including 2.2.4
By using a hex encoded alternate Unicode character for forward slash (/) a
request can be produced that will not match any IPS signature present in
the TippingPoint device.
Example:
http://www.test.com/scripts/cmd.exe is a known attack, and detected by a
signature.
The same URI with alternate Unicode forward slash characters are not
detected by the signature.
http://www.test.com/scripts%c0%afcmd.exe
http://www.test.com/scripts%e0%80%afcmd.exe
http://www.test.com/scripts%c1%9ccmd.exe
Web servers located behind a Tippingpoint IPS device which are capable of
decoding alternate Unicode characters can be accessed, and exploited
without triggering the IPS device.
Solutions:
Security-Assessment.com has been in contact with Tipping and a new version
of the Tippingpoint IPS software has been released to address the
discovered vulnerability:
<http://www.3com.com/securityalert/alerts/3COM-07-003.html>
http://www.3com.com/securityalert/alerts/3COM-07-003.html
This issue has been addressed in various TOS releases as indicated by the
affected product below.
- X-Family devices, 2.5.0.6682.
- non-X-Family device (not including 600E, 1200E, 2400E or 5000E),
2.5.1.6826.
- non-X-Family device (including 600E, 1200E, 2400E or 5000E),
2.5.2.6919.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:paul.craig@security-assessment.com> Paul Craig.
The original article can be found at:
<http://security-assessment.com/files/advisories/2007-07-11_Tippingpoint_IPS_Signature_Evasion.pdf> http://security-assessment.com/files/advisories/2007-07-11_Tippingpoint_IPS_Signature_Evasion.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment