Title: Multiple IDS Vendor Encoded IIS Attack Detection Evasion Vulnerability
Severity: CRITICAL
Description:
Many intrusion detection systems attempt to detect attack signatures in network traffic. Web requests can be encoded, possibly obfuscating any present attack signatures. Intrusion detection systems must decode encoded traffic in order to detect attacks.
Microsoft IIS web server supports a non-standard method of encoding web requests. Because this method is non-standard, network intrusion detection systems may not detect attacks encoded using this method.
The method, known as '%u' encoding, involves preceding unicode bytes with the '%u' character sequence.
An attacker may be able to send attacks (such as buffer overflows, CGI input validation attacks, etc) encoded using '%u' encoding to a target IIS webserver. While IIS will translate the encoded request, affected intrusion detection systems will not. If a signature exists for the encoded attack, it would not be detected by the IDS system.
This vulnerability only affects intrusion detection systems in environments where '%u' unicode encoding is supported by a webserver (ie, IIS). If there is no webserver support for this encoding method or if it is disabled, there will be no targets to which encoded attacks can be sent.
**NOTE**: Only RealSecure, Dragon IDS and Snort are confirmed vulnerable. BlackICE products detect '%u' encoded requests as being invalid, but do not decode them and detect encoded attack signatures.
It is highly likely that IDS systems from other vendors are vulnerable as well, however this is unconfirmed. The systems we believe may be vulnerable are listed so that all possibly affected subscribers become aware of this issue.
Alert updates will be published as more information becomes available regarding affected technologies.
Affected Products:
- Cisco Catalyst 6000 IDS Module
- Cisco Secure IDS Host Sensor 2.0.0
- Cisco Secure IDS Network Sensor 3.0.0
- Conectiva Linux 8.0.0
- Enterasys Dragon IDS 4.0.0
- Internet Security Systems RealSecure Network Sensor 5.0.0
- Internet Security Systems RealSecure Network Sensor 5.5.0
- Internet Security Systems RealSecure Network Sensor 5.5.1
- Internet Security Systems RealSecure Network Sensor 5.5.2
- Internet Security Systems RealSecure Network Sensor 6.0.0
- Internet Security Systems RealSecure Server Sensor 5.0.0 Win
- Internet Security Systems RealSecure Server Sensor 5.5.0 Win
- Internet Security Systems RealSecure Server Sensor 5.5.1 Win
- Internet Security Systems RealSecure Server Sensor 5.5.2 Win
- Internet Security Systems RealSecure Server Sensor 6.0.0 Win
- NFR Network Intrusion Detection 5.0.0
- Snort Project Snort 1.5.0
- Snort Project Snort 1.5.1
- Snort Project Snort 1.5.2
- Snort Project Snort 1.6.0
- Snort Project Snort 1.6.1
- Snort Project Snort 1.6.2
- Snort Project Snort 1.6.3
- Snort Project Snort 1.7.0
- Snort Project Snort 1.8.0
References:
- Cisco: Cisco Sec Adv: Cisco Secure Intrusion Detection System Signature Obfuscation
- Cisco Systems: Secure Intrusion Detection Homepage
- Enterasys: Dragon IDS Homepage
- Internet Security Systems: Intrusion Detection Product Homepage
- Internet Security Systems: X-Force Web Page
- Martin Roesch: Snort Homepage
- NFR: NID Homepage
- eEye: eEye Digital Security Team Home Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
