Hosting Provided By

Re: TippingPoint IPS Signature Evasion

From: 3APA3A <3APA3A(at)SECURITY.NNOV.RU>
Date: Wed Jul 11 2007 - 10:30:04 EDT

Dear Paul Craig,

--Wednesday, July 11, 2007, 1:37:03 AM, you wrote to bugtraq@securityfocus.com:

PC> 
http://www.test.com/scripts%c0%afcmd.exe
PC> 
http://www.test.com/scripts%e0%80%afcmd.exe
PC> 
http://www.test.com/scripts%c1%9ccmd.exe

PC> Web servers located behind a Tippingpoint IPS device which are capable

PC> of decoding alternate Unicode characters can be accessed, and exploited PC> without triggering the IPS device.

Can you, please, provide example of such server? Fatih Ozavci reported similar problem with Checkpoint and Halfwidth/Fullwidth Unicode, potential attack vector was IIS with .Net framework, in this case IIS seems not to be exploitable.

Blaming IPS it does not detect attack which is impossible in-the-wild is nonsense. Blaming corporate-level IPS doesn't detect attack against SOHO web server is acceptable nonsense :)

--

~/ZARAZA http://securityvulns.com/ Received on Wed Jul 11 17:28:59 2007

This message: [ Message body ]
Next message: iDefense Labs: "iDefense Security Advisory 07.11.07: SquirrelMail G/PGP Plugin gpg_check_sign_pgp_mime() Command Injection Vulnerability"
Previous message: Paul Craig: "RE: TippingPoint IPS Signature Evasion"
In reply to: Paul Craig: "TippingPoint IPS Signature Evasion"
Next in thread: Paul Craig: "RE: TippingPoint IPS Signature Evasion"
Reply: Paul Craig: "RE: TippingPoint IPS Signature Evasion"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Thu Aug 09 2007 - 17:55:45 EDT