Reported September 05, 2001, by
eEye Digital Security.
VERSIONS AFFECTED
·
Cisco Secure Intrusion Detection
System Sensor Component
·
Cisco Catalyst 6000 Intrusion
Detection System Module
·
Internet Security Systems (ISS)
RealSecure Network Sensor 5.x and 6.x prior to XPU 3.2
·
Internet Security Systems (ISS)
RealSecure Server Sensor 6.x prior to 6.0.1
·
Internet Security Systems (ISS)
RealSecure Server Sensor 5.5
·
Enterasys Dragon IDS Sensor 4.x
·
Snort, an open source Intrusion
Detection System, prior to 1.8.1
DESCRIPTION
DEMONSTRATION
eEye
Digital Security provided the following demonstration as proof-of-concept:
GET
/himom.id%u0061 HTTP/1.0
“The
above request will translate himom.id%u0061 to himom.ida and therefore the
request will work properly. The problem is that since %u encoding is not a
standard IDS systems did not know about this IIS specific encoding and therefore
are not properly decoding %u requests and will not detect these attacks.”
VENDOR RESPONSE
Cisco Systems has
published an advisory
addressing this vulnerability and encourages users to follow the update
procedures in the advisory.
Internet Security Systems:
ISS
includes a patch in RealSecure Network Sensor X-Press Update 3.2. ISS
recommends that all RealSecure customers immediately download and install
the update available on its Web
site. RealSecure Server Sensor 6.0.1 includes a fix for this
vulnerability. Users can download RealSecure Server Sensor 6.0.1 from ISS's
Web site. ISS X-Force recommends that all RealSecure customers upgrade their
Windows Server Sensors to version 6.0.1. The vendor is developing a patch
for RealSecure Server Sensor 5.5, which is available at the ISS Download
Center http://www.iss.net/eval/eval.php.
BlackICE products are not susceptible to this vulnerability.
DragonIDS
The Web processing engine of Dragon Sensor 5.0 already includes
signatures to detect this encoding.
Snort
Snort 1.8.1 fixes this
encoding bug.
CREDIT
Multiple
Intrusion Detection System (IDS) sensors don't detect HTTP requests that use
“%u” encoding. An attacker can use this vulnerability to evade IDSs when
making requests on a Web server that the IDS would typically detect, such as
requests for .ida files. eEye Digital Security's advisory
describes a more detailed explanation of this vulnerability.
Discovered by eEye
Digital Security.
Encoding Bypass Vulnerability in Multiple Intrusion Detection Systems
0 comments
Hide comments