Wieners, Brats, Franks, we've got 'em all.
0 Members and 1 Guest are viewing this topic.
The Problem:------------Internet Explorer ignores NUL characters-- i.e. ascii characters with the value 0x00 -- mostsecurity software does not. This behaviour of IEdoes not depend on the charset in the Content-Type-Header.En DetailYou can embed NUL characters at any place in an HTMLdocument, even inside of tags. IE parses the file, asif they were not there. The number of NUL charactersdoes not matter: a single one is ignored as well as5000 en bloc after every single valid character. Intests I sucessfully infected an unpatched Windowssystem from html pages containing 5000 NULcharacters.Example:--------Both versions work with all tested versions of IE:< script>alert("Hello world");</script>< s\0x0cript>alert("Hello world");</script>(\0x0 stands for a charachter with a value of 0,the blanks in the script tags have been insertedintentionally)The consequences:-----------------Protection mechanisms against evil embedded inHTML can be evaded. Intrusion Detection/PreventionSystems and Antivirus programms don't recognizeexploits for known browser problems any more, if theyare obfuscated by embedded NUL characters. Filteringof JavaScript or ActiveX may fail.Test results------------AntivirusI took a standard mhtml exploit, that was recognized byten AV programms:AntiVir HTML/Exploit.OBJ-MhtBitDefender Exploit.Html.MhtRedir.Gen (suspected)ClamAV Exploit.HTML.MHTRedir-8eTrust-VET HTML.MHTMLRedir!exploitF-Secure Exploit.HTML.MhtFortinet HTML/MHTRedir.AMcAfee Exploit-MhtRedir.genKaspersky Exploit.HTML.MhtPanda Exploit/Mhtredir.genSymantec Bloodhound.Exploit.6After I modified it by inserting NUL characters noneof the AV scanners found anything suspicious --although the exploits were still fullyfunctional.Intrusion PreventionA recent IE exploit using the HHCtrl addon to executearbitrary commands (seehttp://www.heise.de/security/dienste/browsercheck/demos/ie/e5_25.shtml).was detected and blocked by ISS Proventia (DesktopEdition). After I inserted NUL characters, Proventiadid not detect the exploit any more, but the demo wasworking. heise Security informed ISS and they promised topublish new signatures, detecting NUL character evasion.Other ID/IP Systems were not tested, but are likely toshow similar behaviour. Ask your vendor or testyourself. We have setup a web page to demonstrateNUL character evasion, where you can test yourAV/IDS/IPS solution. See:http://www.heise.de/security/dienste/browsercheck/demos/ie/null/Not affected:-------------Content Security Solutions that sanitize HTMLbefore delivering it to the client. I checked WebwasherCSM 5.2. Its Proxy replaces embedded NUL characters (0x00)with spaces (0x20) by default. Pure Proxies like squiddeliver NULs to the client.Remarks:--------As far as I know, Andreas Marx from AV-Test(www.av-test.de) discovered this strange behaviour.He started informing AV vendors and other vendors ofsecurity products over a year ago.Microsoft Security Response Center considers thebehaviour of Internet Explorer correct:---We have investigated this issue and have determinedthat this is actually by design as IE is processing theMIME type as expected. For details on how this ishandled, please seehttp://msdn.microsoft.com/library/default.asp?url=/workshop/networking/moniker/overview/appendix_a.asp---Please note, that the behaviour of IE is not a securityproblem itself but a problem for security software.In combination with a security hole, it can be usedto evade protection by Antivirus softwareand or ID/IP Systems.Thanks:-------The antivirus tests have been done with help of AV-Test(http://www.av-test.de).Further information:"Null Problemo", article on heise Security (german)http://www.heise.de/security/artikel/63411NUL Demoshttp://www.heise.de/security/dienste/browsercheck/demos/ie/null/-- Juergen Schmidt editor in chief heise Security www.heisec.de Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail ju@heisec.de GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
