Encoding Bypass Vulnerability in Multiple Intrusion Detection Systems
Multiple Intrusion Detection System (IDS) sensors don't detect HTTP requests that use “%u” encoding.
September 6, 2001
Reported September 05, 2001, byeEye Digital Security.
VERSIONS AFFECTED
· Cisco Secure Intrusion Detection System Sensor Component
· Cisco Catalyst 6000 Intrusion Detection System Module
· Internet Security Systems (ISS) RealSecure Network Sensor 5.x and 6.x prior to XPU 3.2
· Internet Security Systems (ISS) RealSecure Server Sensor 6.x prior to 6.0.1
· Internet Security Systems (ISS) RealSecure Server Sensor 5.5
· Enterasys Dragon IDS Sensor 4.x
· Snort, an open source Intrusion Detection System, prior to 1.8.1
DESCRIPTION
MultipleIntrusion Detection System (IDS) sensors don't detect HTTP requests that use“%u” encoding. An attacker can use this vulnerability to evade IDSs whenmaking requests on a Web server that the IDS would typically detect, such asrequests for .ida files. eEye Digital Security's advisorydescribes a more detailed explanation of this vulnerability.
DEMONSTRATION
eEyeDigital Security provided the following demonstration as proof-of-concept:
GET/himom.id%u0061 HTTP/1.0
“Theabove request will translate himom.id%u0061 to himom.ida and therefore therequest will work properly. The problem is that since %u encoding is not astandard IDS systems did not know about this IIS specific encoding and thereforeare not properly decoding %u requests and will not detect these attacks.”
VENDOR RESPONSE
Cisco Systems haspublished an advisoryaddressing this vulnerability and encourages users to follow the updateprocedures in the advisory.
ISS includes a patch in RealSecure Network Sensor X-Press Update 3.2. ISS recommends that all RealSecure customers immediately download and install the update available on its Web site. RealSecure Server Sensor 6.0.1 includes a fix for this vulnerability. Users can download RealSecure Server Sensor 6.0.1 from ISS's Web site. ISS X-Force recommends that all RealSecure customers upgrade their Windows Server Sensors to version 6.0.1. The vendor is developing a patch for RealSecure Server Sensor 5.5, which is available at the ISS Download Center http://www.iss.net/eval/eval.php. BlackICE products are not susceptible to this vulnerability.
The Web processing engine of Dragon Sensor 5.0 already includes signatures to detect this encoding.
Snort 1.8.1 fixes this encoding bug.
CREDIT
Discovered by eEyeDigital Security.
About the Author
You May Also Like