Multiple intrusion detection systems may be circumvented via %u encoding

Overview

Multiple intrusion detection systems may be circumvented via %u encoding allowing intruders to launch attacks undetected.

Description

Most intrusion detection systems are capable of decoding URLs that are encoded using either the “UTF” or “hex-encode” encoding schemes. Microsoft’s Information Server (IIS) employs both of these encoding schemes. It also makes use of an encoding scheme known as “%u encoding”. According to the eEye Digital Security Advisory, “The purpose of this %u encoding seems to be for the ability to represent true Unicode/wide character strings.” Because "%u encoding does not appear to be widely utilized by products other than Microsoft’s Information Server (IIS), certain intrusion detection systems are not able to properly decode %u encoded requests.

---

Impact

An intruder can pass %u encoded malicious traffic undetected through an intrusion detection system in violation of implied security policies. This will typically be reconnaissance traffic and/or attack traffic directed at an IIS web server.

---

Solution

Contact your vendor for patches.

---

Vendor Information

548515

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Cisco Systems Inc. __ Affected

Updated: September 07, 2001

Status

Affected

Vendor Statement

Please see <http://www.cisco.com/warp/public/707/cisco-intrusion-detection-obfuscation-vuln-pub.shtml&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23548515 Feedback>).

Enterasys Networks __ Affected

Updated: September 07, 2001

Status

Affected

Vendor Statement

Dragon Sensor 4.x was affected. Signatures to detect the new IIS UNICODE encoding flaw have been available, and a modification to the Web processing engine is already included in Dragon Sensor 5.0. To obtain dragon products, visit <http://dragon.enterasys.com>.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23548515 Feedback>).

Internet Security Systems Inc. __ Affected

Updated: September 07, 2001

Status

Affected

Vendor Statement

ISS X-Force has included a patch for this vulnerability in RealSecure Network Sensor X-Press Update 3.2. ISS X-Force recommends that all RealSecure customers download and install the update immediately. RealSecure X-Press Update 3.2 is now available. RealSecure Network Sensor customers can download XPU 3.2 from the following address: http://www.iss.net/db_data/xpu/RS.php
RealSecure Server Sensor version 6.0.1 includes a fix for this vulnerability. RealSecure Server Sensor 6.0.1 will be available for download on September 4, 2001. ISS X-Force recommends that all RealSecure customers upgrade their Windows Server Sensors to version 6.0.1. A patch is being developed for RealSecure Server Sensor 5.5 and will be available on or before August 31, 2001 at the ISS Download Center: <http://www.iss.net/eval/eval.php&gt;.

BlackICE products are not affected by this vulnerability. Attempts to exploit this vulnerability will trigger the “HTTP URL bad hex code” signature. The next BlackICE product update will specifically address “%u” encoding."

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23548515 Feedback>).

The Snort Project __ Affected

Updated: September 18, 2002

Status

Affected

Vendor Statement

Snort 1.8.1 fixes this encoding bug. You can receive it from <http://snort.sourcefire.com/&gt;.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23548515 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/bid/3292&gt;
• <http://www.eeye.com/html/Research/Advisories/index.html&gt;
• <http://www.iss.net/db_data/xpu/RS.php&gt;
• <http://www.iss.net/eval/eval.php&gt;
• <http://www.cisco.com/warp/public/707/cisco-intrusion-detection-obfuscation-vuln-pub.shtml&gt;

Acknowledgements

The CERT Coordination Center thanks eEye Digital Security for their advisory, on which this document is based.

This document was written by Ian A. Finlay.

Other Information

CVE IDs:	CVE-2001-0669
Severity Metric:	13.13 Date Public: