IDS Evasion Technique

From: ISS CustomerRelations (bpq@iss.net)
Date: 09/05/01


Message-Id: <4.2.2.20010904181813.00a94ed0@msgatl01.iss.net>
Date: Tue, 04 Sep 2001 18:18:56 -0400
To: xpress@iss.net
From: ISS CustomerRelations <bpq@iss.net>
Subject: IDS Evasion Technique


TO UNSUBSCRIBE: email "unsubscribe xpress" in the body of your message to
MAJORDOMO@ISS.NET. Contact xpress-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

Dear ISS Customer,

We recently became aware of an evasion technique against RealSecure and
potentially other commercial and open-source IDS (Intrusion Detection
System) products that may allow some HTTP attacks to go
undetected. Microsoft Internet Information Services (IIS) Web server
products recognize a non-standard Unicode encoding method called
%u. Attackers may use this encoding method to send HTTP based attacks that
evade IDS detection.

We would like to make you aware of how ISS products are affected by this
evasion technique and fixes available to correct the problem. ISS
engineers were able to quickly reproduce the issue and develop fixes.
RealSecure Network Sensor 5.x and 6.0. X-Press update 3.2 solves
this problem for RealSecure Network Sensors by recognizing this encoding
mechanism. The 3.2 XPU is currently available to all customers for
download. You can download X-Press Updates from within the RealSecure
console or from www.iss.net/xpu <http://www.iss.net/xpu>.
RealSecure Server Sensor 5.x and 6.0. ISS engineers tested Server
Sensor and found that the Windows Server Sensors protecting IIS systems are
vulnerable, but non-Windows systems are not affected by this
vulnerability. Server Sensor version 6.0.1 solves this problem and is
available for download from the ISS Download Center. ISS encourages
customers to upgrade their Windows Server Sensors to version 6.0.1. For
customers with Server Sensor 5.5 and 5.5.1, a patch is available now on the
ISS Download Center at: <http://www.iss.net/eval/eval.php>.
BlackICE products. All BlackICE products will detect these evasion
attempts. Attempts to exploit this vulnerability will trigger the "HTTP
URL bad hex code" signature. The next BlackICE product update will
specifically address "%u" encoding.

We have provided more detailed information below. If you have any
questions, please do not hesitate to contact your ISS customer care
representative by calling 888-447-4861 or 404-236-2700. We can also be
reached by e-mail at support@iss.net <mailto:support@iss.net>.

Thank you and best regards,

Sherry Anglin
Vice President of Customer Support and Services
Internet Security Systems

****************

Summary

Unicode provides a unique number for every character regardless of
platform, program, or language. The Unicode Standard has been adopted by
many industry leaders, including Apple, HP, IBM, Microsoft, Oracle, SAP,
and Sun. Unicode is required by modern standards such as XML and Java. It
is supported in all modern browsers and is often used to specify a URL. In
addition to supporting the standard Unicode encoding mechanism, Microsoft
IIS web servers support another type of Unicode called %u encoding. Since
this is not a standard, many intrusion detection and firewall systems have
not recognized HTTP requests using this mechanism until recently. An
X-Force Alert will be sent out soon that will provide additional information.

As a pioneer and leading provider of intrusion detection systems, ISS is
committed to continuing to evolve our information protection systems to
defend against known exploits.