JavaScript unescape obfuscation (JavaScript_Unescape_Obfuscation)

About this signature or vulnerability

Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network IPS, Proventia Network MFS, IBM Security Host Protection for Desktops, IBM Security Host Protection for Servers (Unix), RealSecure Server Sensor, IBM Security Host Protection for Servers (Windows):

This signature triggers when the JavaScript 'unescape' function has been deliberately renamed using statement similar to 'var variable_name = unescape;'. This behavior is a deliberate obfuscation attempt for the purpose of evading an IDS and should be viewed as highly suspicious.

This signature triggers when the Javascript 'unescape' function has been deliberatly renamed using statement similar to 'var variable_name = unescape;'. This behavior is a deliberate obfuscation attempt for the purpose of evading an IDS and should be viewed as highly suspicious.

This signature triggers when the Javascript 'unescape' function has been deliberately renamed using statement similar to 'var variable_name = unescape;'. This behavior is a deliberate obfuscation attempt for the purpose of evading an IDS and should be viewed as highly suspicious.


False positives

Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network IPS, Proventia Network MFS, IBM Security Host Protection for Desktops, IBM Security Host Protection for Servers (Unix), RealSecure Server Sensor, IBM Security Host Protection for Servers (Windows): Some complex JavaScript applications make use of 'unescape' reassignments. In those instances, this signature will trigger. Some complex JavaScript applications make use of 'unescape' (and other function name) reassignments. In those instances, this signature will trigger.

False negatives

Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network IPS, Proventia Network MFS, IBM Security Host Protection for Desktops, IBM Security Host Protection for Servers (Unix), RealSecure Server Sensor, IBM Security Host Protection for Servers (Windows): None

Default risk level

Low risk vulnerability  Low

Sensors that have this signature

Proventia Server IPS for Linux technology: 28.010, Virtual Server Protection for Vmware: 1.0, Proventia-G 1.1 and earlier: XPU 28.010, Proventia Network IDS: XPU 28.010, Proventia Network IPS: XPU 28.010, Proventia Network MFS: XPU 28.010, IBM Security Host Protection for Desktops: 2140, IBM Security Host Protection for Servers (Unix): 2.2.2, RealSecure Server Sensor: XPU 28.010, IBM Security Host Protection for Servers (Windows): 2.1.14.2400, IBM Security Host Protection for Servers (Windows): 1.0.914.2140, IBM Security Host Protection for Servers (Windows): 2.0.252.2140

Systems affected

IBM AIX, Wind River BSDOS, HP HP-UX, SGI IRIX, Linux Kernel, Sun Solaris, IBM OS2, Microsoft Windows 95, Data General DG/UX, Microsoft Windows NT: 4.0, Microsoft Windows 98, SCO SCO Unix, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Compaq Tru64, Microsoft Windows XP, Microsoft Windows 2003 Server, Apple Mac OS X

Type

Suspicious Activity

Vulnerability description

The assignment of functions to variables is permitted by JavaScript. The variable can then act in place of the function. A remote attacker can use the unescape JavaScript function in an attempt to evade IDS systems that detect the use of the function.

How to remove this vulnerability

This audit is for informational purposes only.

References

ISS X-Force
JavaScript unescape obfuscation
http://www.iss.net/security_center/static/38992.php