Encoding Bypass Vulnerability in Multiple Intrusion Detection Systems

Reported September 05, 2001, by eEye Digital Security.

VERSIONS AFFECTED

·         Cisco Secure Intrusion Detection System Sensor Component

·         Cisco Catalyst 6000 Intrusion Detection System Module

·         Internet Security Systems (ISS) RealSecure Network Sensor 5.x and 6.x prior to XPU 3.2

·         Internet Security Systems (ISS) RealSecure Server Sensor 6.x prior to 6.0.1

·         Internet Security Systems (ISS) RealSecure Server Sensor 5.5

·         Enterasys Dragon IDS Sensor 4.x

·         Snort, an open source Intrusion Detection System, prior to 1.8.1

 

DESCRIPTION
Multiple Intrusion Detection System (IDS) sensors don't detect HTTP requests that use “%u” encoding. An attacker can use this vulnerability to evade IDSs when making requests on a Web server that the IDS would typically detect, such as requests for .ida files. eEye Digital Security's advisory describes a more detailed explanation of this vulnerability.

 

DEMONSTRATION

eEye Digital Security provided the following demonstration as proof-of-concept:

 

GET /himom.id%u0061 HTTP/1.0

 

“The above request will translate himom.id%u0061 to himom.ida and therefore the request will work properly. The problem is that since %u encoding is not a standard IDS systems did not know about this IIS specific encoding and therefore are not properly decoding %u requests and will not detect these attacks.”

 

VENDOR RESPONSE

Cisco Systems has published an advisory addressing this vulnerability and encourages users to follow the update procedures in the advisory.

 

Internet Security Systems:

  • ISS includes a patch in RealSecure Network Sensor X-Press Update 3.2. ISS recommends that all RealSecure customers immediately download and install the update available on its Web site. RealSecure Server Sensor 6.0.1 includes a fix for this vulnerability. Users can download RealSecure Server Sensor 6.0.1 from ISS's Web site. ISS X-Force recommends that all RealSecure customers upgrade their Windows Server Sensors to version 6.0.1. The vendor is developing a patch for RealSecure Server Sensor 5.5, which is available at the ISS Download Center http://www.iss.net/eval/eval.php. BlackICE products are not susceptible to this vulnerability.

DragonIDS

  • The Web processing engine of Dragon Sensor 5.0 already includes signatures to detect this encoding.

Snort

 

CREDIT
Discovered by eEye Digital Security.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish