A security vulnerability has been found in the way many Intrusion Detection Systems (and other security products that rely on pattern matching) handle parsing of Unicode HTTP encoded requests (%xxxx). The vulnerability allows remote attackers to attack applications such as web servers while avoiding detection by the IDS.
Credit:
The information has been provided by Marc Maiffret.
Vulnerable systems:
Cisco Secure Intrusion Detection System, formerly known as NetRanger, Sensor component.
Cisco Catalyst 6000 Intrusion Detection System Module
ISS RealSecure Network Sensor 5.x and 6.x before XPU 3.2
ISS RealSecure Server Sensor 6.x prior to 6.0.1
ISS RealSecure Server Sensor 5.5
Dragon Sensor 4.x
Snort prior to 1.8.1
NFR (Network Flight Record)
Systems running the following products that use Gauntlet Firewall:
* Gauntlet for Unix versions 5.x
* PGP e-ppliance 300 series version 1.0
* McAfee e-ppliance 100 and 120 series
* Gauntlet for Unix version 6.0
* PGP e-ppliance 300 series versions 1.5, 2.0
* PGP e-ppliance 1000 series versions 1.5, 2.0
* McAfee WebShield for Solaris v4.1
Immune systems:
Symantec and NAI IDS
For an Intrusion Detection system to function properly it must have the ability to be able to decode (break down) various forms of HTTP encoded requests such as UTF and hex encoding. Most commercial and freeware IDS (Intrusion Detection Systems) do have the ability to break down UTF and hex encoded request in an effort to analyze them for attack strings.
The two mainstream ways of encoding a url are UTF (%xx%xx) and plain hex encode (%xx) where xx are the relevant hex values. Microsoft's IIS Web server does include both of these types of encoding however it also includes a third style of encoding that is not a HTTP standard. Therefore most IDS systems were not aware of this "different" encoding and do not try to decode it.
This "different" style of encoding is known as %u encoding. The purpose of this %u encoding seems to be for the ability to represent true Unicode/wide character strings.
Since %u encoding is not a standard and IDS systems do not decode %u strings, it is possible for an attacker to %u encode his/her attack against an IIS web server without an IDS system detecting the attack, therefore allowing an attacker to successfully perform scans and attacks against IIS web servers without IDS systems detecting the attacks.
Example:
A good example of how this could have been used in the real world would have been "stealth CodeRed". The CodeRed worm used the .ida buffer overflow vulnerability to be able to exploit systems to propagate it. CodeRed was detected because IDS systems had signatures for the .ida attacks. However if CodeRed would have had a polymorphic %u encoding mechanism then it would have easily slipped past most IDS systems because they detected the .ida attack by looking for ".ida" (or any .ida signature string) in a web request.
So if an attacker sent a %u encoded request then they could bypass IDS's checking for ".ida". An example request would look like: GET /himom.id%u0061 HTTP/1.0
The above request will translate himom.id%u0061 to himom.ida and therefore the request will work properly. The problem is that since %u encoding is not a standard IDS systems did not know about this IIS specific encoding and therefore are not properly decoding %u requests and will not detect these attacks.
Vendor status: Cisco
"Products that are not affected because they do NOT implement de-obfuscation, and do not implement attack signatures targeted at Microsoft operating systems and applications:
Cisco Secure PIX Firewall
Cisco IOS Firewall Feature Set with Intrusion Detection
To get information on how to patch and protect your Cisco products, visit: http://www.cisco.com/warp/public/707/cisco-intrusion-detection-obfuscation-vuln-pub.shtml."
ISS (Internet Security Systems)
"ISS X-Force has included a patch for this vulnerability in RealSecure Network Sensor X-Press Update 3.2. ISS X-Force recommends that all RealSecure customers download and install the update immediately. RealSecure X-Press Update 3.2 is now available. RealSecure Network Sensor customers can download XPU 3.2 from the following address: http://www.iss.net/db_data/xpu/RS.php
RealSecure Server Sensor version 6.0.1 includes a fix for this vulnerability. RealSecure Server Sensor 6.0.1 will be available for download on September 4, 2001. ISS X-Force recommends that all RealSecure customers upgrade their Windows Server Sensors to version 6.0.1. A patch is being developed for RealSecure Server Sensor 5.5 and will be available on or before August 31, 2001 at the ISS Download Center: http://www.iss.net/eval/eval.php
BlackICE
BlackICE products are not affected by this vulnerability. Attempts to exploit this vulnerability will trigger the "HTTP URL bad hex code" signature. The next BlackICE product update will specifically address "%u" encoding."
DragonIDS
"Dragon Sensor 4.x was affected. Signatures to detect the new IIS UNICODE encoding flaw have been available, and a modification to the Web processing engine is already included in Dragon Sensor 5.0. To obtain dragon products, visit http://dragon.enterasys.com"
