Encoding Bypass Vulnerability in Multiple Intrusion Detection Systems

Reported September 05, 2001, by eEye Digital Security.


·         Cisco Secure Intrusion Detection System Sensor Component

·         Cisco Catalyst 6000 Intrusion Detection System Module

·         Internet Security Systems (ISS) RealSecure Network Sensor 5.x and 6.x prior to XPU 3.2

·         Internet Security Systems (ISS) RealSecure Server Sensor 6.x prior to 6.0.1

·         Internet Security Systems (ISS) RealSecure Server Sensor 5.5

·         Enterasys Dragon IDS Sensor 4.x

·         Snort, an open source Intrusion Detection System, prior to 1.8.1


Multiple Intrusion Detection System (IDS) sensors don't detect HTTP requests that use “%u” encoding. An attacker can use this vulnerability to evade IDSs when making requests on a Web server that the IDS would typically detect, such as requests for .ida files. eEye Digital Security's advisory describes a more detailed explanation of this vulnerability.



eEye Digital Security provided the following demonstration as proof-of-concept:


GET /himom.id%u0061 HTTP/1.0


“The above request will translate himom.id%u0061 to himom.ida and therefore the request will work properly. The problem is that since %u encoding is not a standard IDS systems did not know about this IIS specific encoding and therefore are not properly decoding %u requests and will not detect these attacks.”



Cisco Systems has published an advisory addressing this vulnerability and encourages users to follow the update procedures in the advisory.


Internet Security Systems:

  • ISS includes a patch in RealSecure Network Sensor X-Press Update 3.2. ISS recommends that all RealSecure customers immediately download and install the update available on its Web site. RealSecure Server Sensor 6.0.1 includes a fix for this vulnerability. Users can download RealSecure Server Sensor 6.0.1 from ISS's Web site. ISS X-Force recommends that all RealSecure customers upgrade their Windows Server Sensors to version 6.0.1. The vendor is developing a patch for RealSecure Server Sensor 5.5, which is available at the ISS Download Center http://www.iss.net/eval/eval.php. BlackICE products are not susceptible to this vulnerability.


  • The Web processing engine of Dragon Sensor 5.0 already includes signatures to detect this encoding.



Discovered by eEye Digital Security.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.