JavaScript large number of eval patterns detected (JavaScript_Large_Eval)

About this signature or vulnerability

Proventia Network IPS, Proventia Desktop, RealSecure Server Sensor, RealSecure Network, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IDS, IBM Security Server Protection for Windows, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:

This event triggers when a JavaScript 'eval()' function with a large amount of escaped data is detected. This activity should be viewed with suspicion. It may be normal activity, or it could indicate the attempt to inject a large amount of shell code or malicious HTML and/or JavaScript for the purpose of taking control of a system through a browser vulnerability.


False positives

Proventia Network IPS, Proventia Desktop, RealSecure Server Sensor, RealSecure Network, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IDS, IBM Security Server Protection for Windows, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: Usage of the 'eval()' function containing large amounts of non-malicious but encoded data will cause this event to trigger.

False negatives

Proventia Network IPS, Proventia Desktop, RealSecure Server Sensor, RealSecure Network, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IDS, IBM Security Server Protection for Windows, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: Very small, but potentially malicious 'eval()' instances, will not trigger this event.

Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Proventia Network IPS: XPU 29.030, Proventia Desktop: 2370, RealSecure Server Sensor: XPU 29.030, RealSecure Network: XPU 29.030, Proventia-G 1.1 and earlier: XPU 29.030, Proventia Network MFS: XPU 29.030, Proventia Network IDS: XPU 29.030, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.2370, IBM Security Server Protection for Windows: 2.0.300.2370, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 29.030

Systems affected

IBM AIX, WindRiver BSDOS, SGI IRIX, Linux Kernel, Sun Solaris, IBM OS2, Microsoft Windows 95, Data General DG/UX, Microsoft Windows NT: 4.0, Microsoft Windows 98, SCO SCO Unix, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Compaq Tru64, Microsoft Windows XP, Microsoft Windows 2003 Server, Apple Mac OS X

Type

Suspicious Activity

Vulnerability description

The JavaScript function eval() may be used to evaluate escaped (or encoded) data into normal strings and or JavaScript instructions. A large number of escaped patterns have been detected within an eval() function. This could indicate an attempt to take control of a system, or it may indicate attempt to obfuscate benign JavaScript or HTML instructions.

How to remove this vulnerability

Investigate the source data which triggers the event and block the traffic.

References

ISS X-Force
JavaScript large number of eval patterns detected
http://www.iss.net/security_center/static/39959.php