JavaScript unescape obfuscation (JavaScript_Unescape_Obfuscation)

About this signature or vulnerability

Virtual Server Protection for Vmware, Proventia Network IPS, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Host Protection for Desktops, Proventia Server IPS for Linux technology, IBM Security Host Protection for Servers (Unix), IBM Security Network Protection, RealSecure Server Sensor, IBM Security Host Protection for Servers (Windows):

This signature triggers when the JavaScript 'unescape' function has been deliberately renamed using statement similar to 'var variable_name = unescape;'. This behavior is a deliberate obfuscation attempt for the purpose of evading an IDS and should be viewed as highly suspicious.

This signature triggers when the Javascript 'unescape' function has been deliberatly renamed using statement similar to 'var variable_name = unescape;'. This behavior is a deliberate obfuscation attempt for the purpose of evading an IDS and should be viewed as highly suspicious.

This signature triggers when the Javascript 'unescape' function has been deliberately renamed using statement similar to 'var variable_name = unescape;'. This behavior is a deliberate obfuscation attempt for the purpose of evading an IDS and should be viewed as highly suspicious.


False positives

Virtual Server Protection for Vmware, Proventia Network IPS, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Host Protection for Desktops, Proventia Server IPS for Linux technology, IBM Security Host Protection for Servers (Unix), IBM Security Network Protection, RealSecure Server Sensor, IBM Security Host Protection for Servers (Windows): Some complex JavaScript applications make use of 'unescape' reassignments. In those instances, this signature will trigger. Some complex JavaScript applications make use of 'unescape' (and other function name) reassignments. In those instances, this signature will trigger.

False negatives

Virtual Server Protection for Vmware, Proventia Network IPS, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Host Protection for Desktops, Proventia Server IPS for Linux technology, IBM Security Host Protection for Servers (Unix), IBM Security Network Protection, RealSecure Server Sensor, IBM Security Host Protection for Servers (Windows): None

Default risk level

Low risk vulnerability  Low

Sensors that have this signature

Virtual Server Protection for Vmware: 1.0, Proventia Network IPS: XPU 28.010, Proventia Network MFS: XPU 28.010, Proventia-G 1.1 and earlier: XPU 28.010, Proventia Network IDS: XPU 28.010, IBM Security Host Protection for Desktops: 2140, Proventia Server IPS for Linux technology: 28.010, IBM Security Host Protection for Servers (Unix): 2.2.2, IBM Security Network Protection: 5.1, RealSecure Server Sensor: XPU 28.010, IBM Security Host Protection for Servers (Windows): 2.1.14.2400, IBM Security Host Protection for Servers (Windows): 1.0.914.2140, IBM Security Host Protection for Servers (Windows): 2.0.252.2140

Systems affected

IBM AIX, Wind River BSDOS, HP HP-UX, SGI IRIX, Linux Kernel, Sun Solaris, IBM OS2, Microsoft Windows 95, Data General DG/UX, Microsoft Windows NT: 4.0, Microsoft Windows 98, SCO SCO Unix, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Compaq Tru64, Microsoft Windows XP, Microsoft Windows 2003 Server, Apple Mac OS X

Type

Suspicious Activity

Vulnerability description

The assignment of functions to variables is permitted by JavaScript. The variable can then act in place of the function. A remote attacker can use the unescape JavaScript function in an attempt to evade IDS systems that detect the use of the function.

How to remove this vulnerability

This audit is for informational purposes only.

References

ISS X-Force
JavaScript unescape obfuscation
http://www.iss.net/security_center/static/38992.php