The Problem:
------------
Internet Explorer ignores NUL characters
-- i.e. ascii characters with the value 0x00 -- most
security software does not. This behaviour of IE
does not depend on the charset in the Content-Type-Header.


En Detail

You can embed NUL characters at any place in an HTML
document, even inside of tags. IE parses the file, as
if they were not there. The number of NUL characters
does not matter: a single one is ignored as well as
5000 en bloc after every single valid character. In
tests I sucessfully infected an unpatched Windows
system from html pages containing 5000 NUL
characters.


Example:
--------

Both versions work with all tested versions of IE:

< script>alert("Hello world");</script>

< s\0x0cript>alert("Hello world");</script>

(\0x0 stands for a charachter with a value of 0,
the blanks in the script tags have been inserted
intentionally)


The consequences:
-----------------
Protection mechanisms against evil embedded in
HTML can be evaded. Intrusion Detection/Prevention
Systems and Antivirus programms don't recognize
exploits for known browser problems any more, if they
are obfuscated by embedded NUL characters. Filtering
of JavaScript or ActiveX may fail.

Test results
------------

Antivirus

I took a standard mhtml exploit, that was recognized by
ten AV programms:

AntiVir    HTML/Exploit.OBJ-Mht
BitDefender  Exploit.Html.MhtRedir.Gen (suspected)
ClamAV  Exploit.HTML.MHTRedir-8
eTrust-VET  HTML.MHTMLRedir!exploit
F-Secure  Exploit.HTML.Mht
Fortinet  HTML/MHTRedir.A
McAfee    Exploit-MhtRedir.gen
Kaspersky  Exploit.HTML.Mht
Panda    Exploit/Mhtredir.gen
Symantec  Bloodhound.Exploit.6

After I modified it by inserting NUL characters none
of the AV scanners found anything suspicious --
although the exploits were still fully
functional.

Intrusion Prevention

A recent IE exploit using the HHCtrl addon to execute
arbitrary commands (see
https://www.heise.de/security/dienste/browsercheck/demos/ie/e5_25.shtml).
was detected and blocked by ISS Proventia (Desktop
Edition). After I inserted NUL characters, Proventia
did not detect the exploit any more, but the demo was
working. heise Security informed ISS and they promised to
publish new signatures, detecting NUL character evasion.

Other ID/IP Systems were not tested, but are likely to
show similar behaviour. Ask your vendor or test
yourself. We have setup a web page to demonstrate
NUL character evasion, where you can test your
AV/IDS/IPS solution. See:

https://www.heise.de/security/dienste/browsercheck/demos/ie/null/



Not affected:
-------------

Content Security Solutions that sanitize HTML
before delivering it to the client. I checked Webwasher
CSM 5.2. Its Proxy replaces embedded NUL characters (0x00)
with spaces (0x20) by default. Pure Proxies like squid
deliver NULs to the client.



Remarks:
--------

As far as I know, Andreas Marx from AV-Test
(www.av-test.de) discovered this strange behaviour.
He started informing AV vendors and other vendors of
security products over a year ago.

Microsoft Security Response Center considers the
behaviour of Internet Explorer correct:

---
We have investigated this issue and have determined
that this is actually by design as IE is processing the
MIME type as expected.  For details on how this is
handled, please see
https://msdn.microsoft.com/library/default.asp?url=/workshop/networking/moniker/overview/appendix_a.asp
---


Please note, that the behaviour of IE is not a security
problem itself but a problem for security software.
In combination with a security hole, it can be used
to evade protection by Antivirus software
and or ID/IP Systems.

Thanks:
-------

The antivirus tests have been done with help of AV-Test
(https://www.av-test.de).


Further information:

"Null Problemo", article on heise Security (german)
https://www.heise.de/security/artikel/63411

NUL Demos
https://www.heise.de/security/dienste/browsercheck/demos/ie/null/

-- 
Juergen Schmidt   editor in chief    heise Security     www.heisec.de
Heise Zeitschriften Verlag,    Helstorferstr. 7,       D-30625 Hannover
Tel. +49 511 5352 300      FAX +49 511 5352 417       EMail ju@heisec.de
GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970