ISS Security Alert: Multiple Vendor IDS Unicode Bypass Vulnerability

Internet Security Systems Security Alert
September 5, 2001

Multiple Vendor IDS Unicode Bypass Vulnerability

Synopsis:

ISS X-Force is aware of a vulnerability in many commercial and open-
source IDS (Intrusion Detection System) products that may allow
attackers to evade detection. Microsoft Web server products recognize
a non-standard Unicode encoding method, which attackers may use to
obfuscate HTTP-based attacks and evade IDS detection.

Affected Versions:

Cisco Secure Intrusion Detection System
(formerly known as NetRanger, Sensor component)
Cisco Catalyst 6000 Intrusion Detection System Module
Dragon Sensor 4.x
ISS RealSecure Network Sensor 5.x and 6.x before XPU 3.2
ISS RealSecure Server Sensor 6.0 for Windows
ISS RealSecure Server Sensor 5.5 for Windows
Snort prior to 1.8.1

** It has been reported that many other commercial and open-source IDS
systems may also be vulnerable.

Description:

Unicode provides a standard for international character sets by
assigning a unique number for each character. It comprises the
character repertoire of most commonly used character sets like ASCII,
ANSI, ISO-8859, Cyrillic, Greek, Chinese, Japanese and Korean. Unicode
encoding of ASCII characters can be used to obfuscate the appearance of
an HTTP request, while leaving it functional. This allows attackers to
disguise the payload used in an exploit and evade detection. The first
major Unicode vulnerability was documented against Microsoft Internet
Information Server (IIS) in October 2000. This vulnerability allowed
attackers to encode "/", "\" and "." characters to appear as their
Unicode counterparts and bypass the security mechanisms within IIS
that block directory traversal.

Unicode encoding can also be used to evade IDS detection due to a flaw
in Microsoft IIS that accepts and interprets non-standard Unicode
characters.

Examples:

The following is a standard HTML GET request without Unicode-escaped
characters:

GET /attack.html HTTP/1.0

The following shows the same request, using a valid, but escaped Unicode
character in place of the letter k:

GET /attac%u006b.html HTTP/1.0

This request uses a non-standard form of Unicode, referred to as "%u
encoding". This type of encoding can be used to effectively bypass many
IDS signatures for IIS-specific vulnerabilities.

Recommendations:

ISS X-Force has included a patch for this vulnerability in RealSecure
Network Sensor X-Press Update 3.2. ISS X-Force recommends that all
RealSecure customers download and install the update immediately.
RealSecure X-Press Update 3.2 is now available at the following address:
http://www.iss.net/db_data/xpu/RS.php

Updates for all affected ISS products are now available at the ISS
Download Center:
http://www.iss.net/eval/eval.php

RealSecure Network Sensor 5.x, 6.x: Apply XPU 3.2.
RealSecure Server Sensor 5.5: Apply the patch.
RealSecure Server Sensor 6.0: Upgrade to Server Sensor 6.0.1.

BlackICE products are not affected by this vulnerability. Attempts to
exploit this vulnerability will trigger the "HTTP URL bad hex code"
signature. BlackICE version 3.0 will specifically address "%u" encoding.

Users of other affected IDS products should contact their vendor
immediately to obtain a patch or workaround.

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2001-0669 to this issue. This is a candidate for inclusion in
the CVE list http://cve.mitre.org, which standardizes names for security
problems.

eEye Digital Security Advisory:
http://www.eeye.com/html/Research/Advisories/index.html

Credits:

ISS X-Force would like to thank eEye Digital Security for bringing this
vulnerability to our attention.

---

About Internet Security Systems (ISS)
Internet Security Systems is a leading global provider of security
management solutions for the Internet, protecting digital assets and
ensuring safe and uninterrupted e-business. With its industry-leading
intrusion detection and vulnerability assessment, remote managed
security services, and strategic consulting and education offerings, ISS
is a trusted security provider to more than 8,000 customers worldwide
including 21 of the 25 largest U.S. commercial banks and the top 10 U.S.
telecommunications companies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America and
the Middle East. For more information, visit the Internet Security
Systems web site at www.iss.net or call 888-901-7477.

Copyright (c) 2001 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part
of this Alert in any other medium excluding electronic medium, please
e-mail [email protected] for permission.

Disclaimer

The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of or
in connection with the use or spread of this information. Any use of
this information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
as well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
[email protected] of Internet Security Systems, Inc.