JavaScript large number of unescape patterns detected (JavaScript_Large_Unescape)

About this signature or vulnerability

Proventia Network MFS, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, IBM Security Host Protection for Desktops, Proventia Network IDS, Proventia-G 1.1 and earlier, IBM Security Host Protection for Servers (Unix), Proventia Network IPS, Proventia Server IPS for Linux technology, IBM Security Network Protection, Virtual Server Protection for Vmware:

This event triggers when a JavaScript 'unescape()' function with a large amount of escaped data is detected. This activity should be viewed with suspicion. It may be normal activity, or it could indicate the attempt to inject a large amount of shell code or malicious HTML and/or JavaScript for the purpose of taking control of a system through a browser vulnerability.

This signature detects an 'unescape' JavaScript function with a large amount of escaped data. This activity should be viewed with suspicion. It may be normal activity, or it could indicate the attempt to inject a large amount of shell code or malicious HTML and/or JavaScript for the purpose of taking control of a system through a browser bug.


False positives

Proventia Network MFS, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, IBM Security Host Protection for Desktops, Proventia Network IDS, Proventia-G 1.1 and earlier, IBM Security Host Protection for Servers (Unix), Proventia Network IPS, Proventia Server IPS for Linux technology, IBM Security Network Protection, Virtual Server Protection for Vmware: Usage of the 'unescape()' function containing large amounts of non-malicious but encoded data will cause this event to trigger. Legitimate usages of the 'unescape' function will cause this signature to but trigger.

False negatives

Proventia Network MFS, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, IBM Security Host Protection for Desktops, Proventia Network IDS, Proventia-G 1.1 and earlier, IBM Security Host Protection for Servers (Unix), Proventia Network IPS, Proventia Server IPS for Linux technology, IBM Security Network Protection, Virtual Server Protection for Vmware: Very small, but potentially malicious 'unescape()' instances, will not trigger this event.

Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Proventia Network MFS: XPU 28.010, IBM Security Host Protection for Servers (Windows): 2.1.14.2400, IBM Security Host Protection for Servers (Windows): 2.0.252.2140, IBM Security Host Protection for Servers (Windows): 1.0.914.2140, RealSecure Server Sensor: XPU 28.010, IBM Security Host Protection for Desktops: 2140, Proventia Network IDS: XPU 28.010, Proventia-G 1.1 and earlier: XPU 28.010, IBM Security Host Protection for Servers (Unix): 2.2.2, Proventia Network IPS: XPU 28.010, Proventia Server IPS for Linux technology: 28.010, IBM Security Network Protection: 5.1, Virtual Server Protection for Vmware: 1.0

Systems affected

Wind River BSDOS, HP HP-UX, IBM AIX, Linux Kernel, SGI IRIX, Sun Solaris, IBM OS2, Microsoft Windows NT: 4.0, Microsoft Windows 95, Data General DG/UX, Microsoft Windows 98, SCO SCO Unix, Microsoft Windows Me, Microsoft Windows 2000, Microsoft Windows 98SE, Microsoft Windows XP, Compaq Tru64, Apple Mac OS X, Microsoft Windows 2003 Server

Type

Suspicious Activity

Vulnerability description

JavaScript function unescape() is used to translate escaped (or encoded) data into normal strings. A large number of escaped patterns have been detected within an unescape() function. This could indicate an attempt to take control of a system, or it may indicate attempt to obfuscate benign JavaScript or HTML instructions.

How to remove this vulnerability

Investigate the source data which triggers the event and block the traffic.

References

ISS X-Force
JavaScript large number of unescape patterns detected
http://www.iss.net/security_center/static/39049.php