NFR Non-Standard Encoding HTTP Attack Evasion

2001-09-05T21:45:10
ID OSVDB:4442
Type osvdb
Reporter HSJ(), Marc Maiffret(marc@eeye.com)
Modified 2001-09-05T21:45:10

Description

Vulnerability Description

Network Flight Recorder contains a flaw that may allow a malicious user to craft HTTP-based attacks that evade detection. The issue is triggered when %u encoding is used to obfuscate HTTP URLs used in attacks. It is possible that the flaw may allow HTTP-based attacks to not be detected by the IDS.

Technical Description

IIS supports %u encoding in order to encode Unicode characters in HTTP URLs. The format is %u followed by four hexadecimal digits. The four hexadecimal digits represent the Unicode character being encoded. For example, %u0061 would represent the Unicode character 'a'.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Network Flight Recorder contains a flaw that may allow a malicious user to craft HTTP-based attacks that evade detection. The issue is triggered when %u encoding is used to obfuscate HTTP URLs used in attacks. It is possible that the flaw may allow HTTP-based attacks to not be detected by the IDS.

Manual Testing Notes

First perform an HTTP GET for /etc/passwd Then perform an HTTP GET for /etc/p%u0061sswd

If the IDS system detects the first HTTP GET as an attack, but not the second one, then the IDS is vulnerable to this evasion technique.

References:

Related OSVDB ID: 4438 Related OSVDB ID: 4439 Related OSVDB ID: 4440 Related OSVDB ID: 4441 Related OSVDB ID: 4437 Related OSVDB ID: 4443 Other Advisory URL: http://xforce.iss.net/xforce/alerts/id/advise95 Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=99972950200602&w=2 Keyword: Network Flight Recorder ISS X-Force ID: 6995 CVE-2001-0669 CERT VU: 548515 Bugtraq ID: 3292