The Problem: ------------ Internet Explorer ignores NUL characters -- i.e. ascii characters with the value 0x00 -- most security software does not. This behaviour of IE does not depend on the charset in the Content-Type-Header. En Detail You can embed NUL characters at any place in an HTML document, even inside of tags. IE parses the file, as if they were not there. The number of NUL characters does not matter: a single one is ignored as well as 5000 en bloc after every single valid character. In tests I sucessfully infected an unpatched Windows system from html pages containing 5000 NUL characters. Example: -------- Both versions work with all tested versions of IE: < script>alert("Hello world"); < s\0x0cript>alert("Hello world"); (\0x0 stands for a charachter with a value of 0, the blanks in the script tags have been inserted intentionally) The consequences: ----------------- Protection mechanisms against evil embedded in HTML can be evaded. Intrusion Detection/Prevention Systems and Antivirus programms don't recognize exploits for known browser problems any more, if they are obfuscated by embedded NUL characters. Filtering of JavaScript or ActiveX may fail. Test results ------------ Antivirus I took a standard mhtml exploit, that was recognized by ten AV programms: AntiVir HTML/Exploit.OBJ-Mht BitDefender Exploit.Html.MhtRedir.Gen (suspected) ClamAV Exploit.HTML.MHTRedir-8 eTrust-VET HTML.MHTMLRedir!exploit F-Secure Exploit.HTML.Mht Fortinet HTML/MHTRedir.A McAfee Exploit-MhtRedir.gen Kaspersky Exploit.HTML.Mht Panda Exploit/Mhtredir.gen Symantec Bloodhound.Exploit.6 After I modified it by inserting NUL characters none of the AV scanners found anything suspicious -- although the exploits were still fully functional. Intrusion Prevention A recent IE exploit using the HHCtrl addon to execute arbitrary commands (see http://www.heise.de/security/dienste/browsercheck/demos/ie/e5_25.shtml). was detected and blocked by ISS Proventia (Desktop Edition). After I inserted NUL characters, Proventia did not detect the exploit any more, but the demo was working. heise Security informed ISS and they promised to publish new signatures, detecting NUL character evasion. Other ID/IP Systems were not tested, but are likely to show similar behaviour. Ask your vendor or test yourself. We have setup a web page to demonstrate NUL character evasion, where you can test your AV/IDS/IPS solution. See: http://www.heise.de/security/dienste/browsercheck/demos/ie/null/ Not affected: ------------- Content Security Solutions that sanitize HTML before delivering it to the client. I checked Webwasher CSM 5.2. Its Proxy replaces embedded NUL characters (0x00) with spaces (0x20) by default. Pure Proxies like squid deliver NULs to the client. Remarks: -------- As far as I know, Andreas Marx from AV-Test (www.av-test.de) discovered this strange behaviour. He started informing AV vendors and other vendors of security products over a year ago. Microsoft Security Response Center considers the behaviour of Internet Explorer correct: --- We have investigated this issue and have determined that this is actually by design as IE is processing the MIME type as expected. For details on how this is handled, please see http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/moniker/overview/appendix_a.asp --- Please note, that the behaviour of IE is not a security problem itself but a problem for security software. In combination with a security hole, it can be used to evade protection by Antivirus software and or ID/IP Systems. Thanks: ------- The antivirus tests have been done with help of AV-Test (http://www.av-test.de). Further information: "Null Problemo", article on heise Security (german) http://www.heise.de/security/artikel/63411 NUL Demos http://www.heise.de/security/dienste/browsercheck/demos/ie/null/ -- Juergen Schmidt editor in chief heise Security www.heisec.de Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail ju@heisec.de GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/