JavaScript unescape obfuscation (JavaScript_Unescape_Obfuscation)

About this signature or vulnerability

Proventia Desktop, Proventia Network IPS, RealSecure Network, RealSecure Server Sensor, BlackICE Server Protection, BlackICE PC Protection, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature triggers when the Javascript 'unescape' function has been deliberately renamed using statement similar to 'var variable_name = unescape;'. This behavior is a deliberate obfuscation attempt for the purpose of evading an IDS and should be viewed as highly suspicious.

This signature triggers when the Javascript 'unescape' function has been deliberatly renamed using statement similar to 'var variable_name = unescape;'. This behavior is a deliberate obfuscation attempt for the purpose of evading an IDS and should be viewed as highly suspicious.


False positives

Proventia Desktop, Proventia Network IPS, RealSecure Network, RealSecure Server Sensor, BlackICE Server Protection, BlackICE PC Protection, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: Some complex JavaScript applications make use of 'unescape' reassignments. In those instances, this signature will trigger. Some complex JavaScript applications make use of 'unescape' (and other function name) reassignments. In those instances, this signature will trigger.

False negatives

Proventia Desktop, Proventia Network IPS, RealSecure Network, RealSecure Server Sensor, BlackICE Server Protection, BlackICE PC Protection, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: None

Default risk level

Low risk vulnerability  Low

Sensors that have this signature

Proventia Desktop: 2140, Proventia Network IPS: XPU 28.010, RealSecure Network: XPU 28.010, RealSecure Server Sensor: XPU 28.010, BlackICE Server Protection: 3.6.cqt, BlackICE PC Protection: 3.6cqt, Proventia Network MFS: XPU 28.010, Proventia-G 1.1 and earlier: XPU 28.010, Proventia Network IDS: XPU 28.010, IBM Security Server Protection for Windows: 1.0.914.2140, IBM Security Server Protection for Windows: 2.0.252.2140, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Server IPS for Linux technology: 28.010, Virtual Server Protection for Vmware: 1.0

Systems affected

IBM AIX, WindRiver BSDOS, SGI IRIX, Linux Kernel, Sun Solaris, IBM OS2, Microsoft Windows 95, Data General DG/UX, Microsoft Windows NT: 4.0, Microsoft Windows 98, SCO SCO Unix, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Compaq Tru64, Microsoft Windows XP, Microsoft Windows 2003 Server, Apple Mac OS X

Type

Suspicious Activity

Vulnerability description

The assignment of functions to variables is permitted by JavaScript. The variable can then act in place of the function. A remote attacker can use the unescape JavaScript function in an attempt to evade IDS systems that detect the use of the function.

How to remove this vulnerability

This audit is for informational purposes only.

References

ISS X-Force
JavaScript unescape obfuscation
http://www.iss.net/security_center/static/38992.php