JavaScript unescape regex (JavaScript_Unescape_Regex)

About this signature or vulnerability

Proventia Network IPS, Proventia Desktop, BlackICE Server Protection, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Network MFS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:

This signature detects an 'unescape' JavaScript function with an apparent obfuscation attempt, and possibly indicates a deliberate attempt to bypass detection of a shellcode-injection attempt for the purpose of taking control of a system.

This signature detects an 'unescape' JavaScript function with an apparent obfuscation attempt, and possibly indicates a deliberate attempt to bypass detection of a shell code injection attempt for the purpose of taking control of a system.


False positives

Proventia Network IPS, Proventia Desktop, BlackICE Server Protection, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Network MFS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: There may be some instances wherein an 'unescape' clause contains regular expressions that are not malicious in nature. This signature cannot determine the intent of the regular expression patterns, and therefore may trigger on non-malicous traffic. None

False negatives

Proventia Network IPS, Proventia Desktop, BlackICE Server Protection, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Network MFS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: When the 'unescape' function name is obfuscated, this signature will not trigger.

Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Network IPS: XPU 28.010, Proventia Desktop: 2140, BlackICE Server Protection: 3.6.cqt, BlackICE PC Protection: 3.6cqt, RealSecure Server Sensor: XPU 28.010, RealSecure Network: XPU 28.010, Proventia-G 1.1 and earlier: XPU 28.010, Proventia Network IDS: XPU 28.010, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 2.0.252.2140, IBM Security Server Protection for Windows: 1.0.914.2140, Proventia Network MFS: XPU 28.010, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 28.010

Systems affected

IBM AIX, WindRiver BSDOS, SGI IRIX, Linux Kernel, Sun Solaris, IBM OS2, Microsoft Windows 95, Data General DG/UX, Microsoft Windows NT: 4.0, Microsoft Windows 98, SCO SCO Unix, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Compaq Tru64, Microsoft Windows XP, Microsoft Windows 2003 Server, Apple Mac OS X

Type

Suspicious Activity

Vulnerability description

JavaScript allows string variables to be passed to the unescape function. The string variable may call the .replace function, which can reference an embedded regular expresseion to perform work on the actual contents of the string. String manipulation associated with an unescape function should be considered suspicious activity.

How to remove this vulnerability

The traffic should be blocked.

References

ISS X-Force
JavaScript unescape regex
http://www.iss.net/security_center/static/39046.php