|
|
|
|
| |
| During security analysis of the Tippingpoint IPS product a signature evasion vulnerability was discovered. The use of specific Unicode characters on particular web servers allows a remote user to bypass IPS detection. |
| |
Credit:
The information has been provided by Paul Craig.
The original article can be found at: http://security-assessment.com/files/advisories/2007-07-11_Tippingpoint_IPS_Signature_Evasion.pdf
|
| |
Vulnerable Systems:
* TippingPoint IPS running TOS version 2.1
* TippingPoint IPS running TOS version 2.2.0 up to and including 2.2.4
By using a hex encoded alternate Unicode character for forward slash (/) a request can be produced that will not match any IPS signature present in the TippingPoint device.
Example:
http://www.test.com/scripts/cmd.exe is a known attack, and detected by a signature.
The same URI with alternate Unicode forward slash characters are not detected by the signature.
http://www.test.com/scripts%c0%afcmd.exe
http://www.test.com/scripts%e0%80%afcmd.exe
http://www.test.com/scripts%c1%9ccmd.exe
Web servers located behind a Tippingpoint IPS device which are capable of decoding alternate Unicode characters can be accessed, and exploited without triggering the IPS device.
Solutions:
Security-Assessment.com has been in contact with Tipping and a new version of the Tippingpoint IPS software has been released to address the discovered vulnerability: http://www.3com.com/securityalert/alerts/3COM-07-003.html
This issue has been addressed in various TOS releases as indicated by the affected product below.
- X-Family devices, 2.5.0.6682.
- non-X-Family device (not including 600E, 1200E, 2400E or 5000E), 2.5.1.6826.
- non-X-Family device (including 600E, 1200E, 2400E or 5000E), 2.5.2.6919.
|
|
|
|
|
|
|
|
|
|
