Evading detection with NUL characters in IE

[iago]

The Problem:
------------
Internet Explorer ignores NUL characters
-- i.e. ascii characters with the value 0x00 -- most
security software does not. This behaviour of IE
does not depend on the charset in the Content-Type-Header.


En Detail

You can embed NUL characters at any place in an HTML
document, even inside of tags. IE parses the file, as
if they were not there. The number of NUL characters
does not matter: a single one is ignored as well as
5000 en bloc after every single valid character. In
tests I sucessfully infected an unpatched Windows
system from html pages containing 5000 NUL
characters.


Example:
--------

Both versions work with all tested versions of IE:

< script>alert("Hello world");</script>

< s\0x0cript>alert("Hello world");</script>

(\0x0 stands for a charachter with a value of 0,
the blanks in the script tags have been inserted
intentionally)


The consequences:
-----------------
Protection mechanisms against evil embedded in
HTML can be evaded. Intrusion Detection/Prevention
Systems and Antivirus programms don't recognize
exploits for known browser problems any more, if they
are obfuscated by embedded NUL characters. Filtering
of JavaScript or ActiveX may fail.

Test results
------------

Antivirus

I took a standard mhtml exploit, that was recognized by
ten AV programms:

AntiVir      HTML/Exploit.OBJ-Mht
BitDefender   Exploit.Html.MhtRedir.Gen (suspected)
ClamAV   Exploit.HTML.MHTRedir-8
eTrust-VET   HTML.MHTMLRedir!exploit
F-Secure   Exploit.HTML.Mht
Fortinet   HTML/MHTRedir.A
McAfee      Exploit-MhtRedir.gen
Kaspersky   Exploit.HTML.Mht
Panda      Exploit/Mhtredir.gen
Symantec   Bloodhound.Exploit.6

After I modified it by inserting NUL characters none
of the AV scanners found anything suspicious --
although the exploits were still fully
functional.

Intrusion Prevention

A recent IE exploit using the HHCtrl addon to execute
arbitrary commands (see
http://www.heise.de/security/dienste/browsercheck/demos/ie/e5_25.shtml).
was detected and blocked by ISS Proventia (Desktop
Edition). After I inserted NUL characters, Proventia
did not detect the exploit any more, but the demo was
working. heise Security informed ISS and they promised to
publish new signatures, detecting NUL character evasion.

Other ID/IP Systems were not tested, but are likely to
show similar behaviour. Ask your vendor or test
yourself. We have setup a web page to demonstrate
NUL character evasion, where you can test your
AV/IDS/IPS solution. See:

http://www.heise.de/security/dienste/browsercheck/demos/ie/null/



Not affected:
-------------

Content Security Solutions that sanitize HTML
before delivering it to the client. I checked Webwasher
CSM 5.2. Its Proxy replaces embedded NUL characters (0x00)
with spaces (0x20) by default. Pure Proxies like squid
deliver NULs to the client.



Remarks:
--------

As far as I know, Andreas Marx from AV-Test
(www.av-test.de) discovered this strange behaviour.
He started informing AV vendors and other vendors of
security products over a year ago.

Microsoft Security Response Center considers the
behaviour of Internet Explorer correct:

---
We have investigated this issue and have determined
that this is actually by design as IE is processing the
MIME type as expected.  For details on how this is
handled, please see
http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/moniker/overview/appendix_a.asp
---


Please note, that the behaviour of IE is not a security
problem itself but a problem for security software.
In combination with a security hole, it can be used
to evade protection by Antivirus software
and or ID/IP Systems.

Thanks:
-------

The antivirus tests have been done with help of AV-Test
(http://www.av-test.de).


Further information:

"Null Problemo", article on heise Security (german)
http://www.heise.de/security/artikel/63411

NUL Demos
http://www.heise.de/security/dienste/browsercheck/demos/ie/null/

-- Juergen Schmidt editor in chief heise Security www.heisec.de Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail ju@heisec.de GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

[Blaze]

Firefox 349284083204
MIE: 1