Encoding Bypass Vulnerability in Multiple Intrusion Detection Systems

Multiple Intrusion Detection System (IDS) sensors don't detect HTTP requests that use “%u” encoding.

Ken Pfeil

September 6, 2001

3 Min Read
ITPro Today logo

Reported September 05, 2001, byeEye Digital Security.

VERSIONS AFFECTED

·         Cisco Secure Intrusion Detection System Sensor Component

·         Cisco Catalyst 6000 Intrusion Detection System Module

·         Internet Security Systems (ISS) RealSecure Network Sensor 5.x and 6.x prior to XPU 3.2

·         Internet Security Systems (ISS) RealSecure Server Sensor 6.x prior to 6.0.1

·         Internet Security Systems (ISS) RealSecure Server Sensor 5.5

·         Enterasys Dragon IDS Sensor 4.x

·         Snort, an open source Intrusion Detection System, prior to 1.8.1

 

DESCRIPTION
MultipleIntrusion Detection System (IDS) sensors don't detect HTTP requests that use“%u” encoding. An attacker can use this vulnerability to evade IDSs whenmaking requests on a Web server that the IDS would typically detect, such asrequests for .ida files. eEye Digital Security's advisorydescribes a more detailed explanation of this vulnerability.

 

DEMONSTRATION

eEyeDigital Security provided the following demonstration as proof-of-concept:

 

GET/himom.id%u0061 HTTP/1.0

 

“Theabove request will translate himom.id%u0061 to himom.ida and therefore therequest will work properly. The problem is that since %u encoding is not astandard IDS systems did not know about this IIS specific encoding and thereforeare not properly decoding %u requests and will not detect these attacks.”

 

VENDOR RESPONSE

Cisco Systems haspublished an advisoryaddressing this vulnerability and encourages users to follow the updateprocedures in the advisory.

 

Internet Security Systems:

  • ISS includes a patch in RealSecure Network Sensor X-Press Update 3.2. ISS recommends that all RealSecure customers immediately download and install the update available on its Web site. RealSecure Server Sensor 6.0.1 includes a fix for this vulnerability. Users can download RealSecure Server Sensor 6.0.1 from ISS's Web site. ISS X-Force recommends that all RealSecure customers upgrade their Windows Server Sensors to version 6.0.1. The vendor is developing a patch for RealSecure Server Sensor 5.5, which is available at the ISS Download Center http://www.iss.net/eval/eval.php. BlackICE products are not susceptible to this vulnerability.

DragonIDS

  • The Web processing engine of Dragon Sensor 5.0 already includes signatures to detect this encoding.

Snort

 

CREDIT
Discovered by eEyeDigital Security.

About the Author(s)

Ken Pfeil

Ken Pfeil

See more from Ken Pfeil
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

cybersecurity operator or hacker works with data in dark room
IT Security
Master AI Cybersecurity: Protect and Enhance Your NetworkMaster AI Cybersecurity: Protect and Enhance Your Network
byBrien Posey
May 21, 2024
5 Min Read
business person stamping a document
IT Operations
How to Get Executive Buy-In for IT ProjectsHow to Get Executive Buy-In for IT Projects
byChristopher Tozzi
May 28, 2024
6 Min Read
yellow block stuck in between blue cog wheels
PowerShell
Using ChatGPT as a PowerShell Debugging ToolUsing ChatGPT as a PowerShell Debugging Tool
byBrien Posey
Jun 4, 2024
4 Min Read