Encoding Bypass Vulnerability in Multiple Intrusion Detection Systems

Multiple Intrusion Detection System (IDS) sensors don't detect HTTP requests that use “%u” encoding.

Ken Pfeil

September 6, 2001

3 Min Read
ITPro Today logo in a gray background | ITPro Today

Reported September 05, 2001, byeEye Digital Security.

VERSIONS AFFECTED

·         Cisco Secure Intrusion Detection System Sensor Component

·         Cisco Catalyst 6000 Intrusion Detection System Module

·         Internet Security Systems (ISS) RealSecure Network Sensor 5.x and 6.x prior to XPU 3.2

·         Internet Security Systems (ISS) RealSecure Server Sensor 6.x prior to 6.0.1

·         Internet Security Systems (ISS) RealSecure Server Sensor 5.5

·         Enterasys Dragon IDS Sensor 4.x

·         Snort, an open source Intrusion Detection System, prior to 1.8.1

 

DESCRIPTION
MultipleIntrusion Detection System (IDS) sensors don't detect HTTP requests that use“%u” encoding. An attacker can use this vulnerability to evade IDSs whenmaking requests on a Web server that the IDS would typically detect, such asrequests for .ida files. eEye Digital Security's advisorydescribes a more detailed explanation of this vulnerability.

 

DEMONSTRATION

eEyeDigital Security provided the following demonstration as proof-of-concept:

 

GET/himom.id%u0061 HTTP/1.0

 

“Theabove request will translate himom.id%u0061 to himom.ida and therefore therequest will work properly. The problem is that since %u encoding is not astandard IDS systems did not know about this IIS specific encoding and thereforeare not properly decoding %u requests and will not detect these attacks.”

 

VENDOR RESPONSE

Cisco Systems haspublished an advisoryaddressing this vulnerability and encourages users to follow the updateprocedures in the advisory.

 

Internet Security Systems:

  • ISS includes a patch in RealSecure Network Sensor X-Press Update 3.2. ISS recommends that all RealSecure customers immediately download and install the update available on its Web site. RealSecure Server Sensor 6.0.1 includes a fix for this vulnerability. Users can download RealSecure Server Sensor 6.0.1 from ISS's Web site. ISS X-Force recommends that all RealSecure customers upgrade their Windows Server Sensors to version 6.0.1. The vendor is developing a patch for RealSecure Server Sensor 5.5, which is available at the ISS Download Center http://www.iss.net/eval/eval.php. BlackICE products are not susceptible to this vulnerability.

DragonIDS

  • The Web processing engine of Dragon Sensor 5.0 already includes signatures to detect this encoding.

Snort

 

CREDIT
Discovered by eEyeDigital Security.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like