[NEWS] %u Encoding IDS Bypass Vulnerability (UTF)

From: support@securiteam.com
Date: 09/06/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] %u Encoding IDS Bypass Vulnerability (UTF)
Message-Id: <20010906050555.AEE7A138C0@mail.der-keiler.de>
Date: Thu,  6 Sep 2001 07:05:55 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  %u Encoding IDS Bypass Vulnerability (UTF)
------------------------------------------------------------------------

SUMMARY

A security vulnerability has been found in the way many Intrusion
Detection Systems (and other security products that rely on pattern
matching) handle parsing of Unicode HTTP encoded requests (%xxxx). The
vulnerability allows remote attackers to attack applications such as web
servers while avoiding detection by the IDS.

DETAILS

Vulnerable systems:
Cisco Secure Intrusion Detection System, formerly known as NetRanger,
Sensor component.
Cisco Catalyst 6000 Intrusion Detection System Module
ISS RealSecure Network Sensor 5.x and 6.x before XPU 3.2
ISS RealSecure Server Sensor 6.x prior to 6.0.1
ISS RealSecure Server Sensor 5.5
Dragon Sensor 4.x
Snort prior to 1.8.1
NFR (Network Flight Record)

Immune systems:
Symantec and NAI IDS

For an Intrusion Detection system to function properly it must have the
ability to be able to decode (break down) various forms of HTTP encoded
requests such as UTF and hex encoding. Most commercial and freeware IDS
(Intrusion Detection Systems) do have the ability to break down UTF and
hex encoded request in an effort to analyze them for attack strings.

The two mainstream ways of encoding a url are UTF (%xx%xx) and plain hex
encode (%xx) where xx are the relevant hex values. Microsoft's IIS Web
server does include both of these types of encoding however it also
includes a third style of encoding that is not a HTTP standard. Therefore
most IDS systems were not aware of this "different" encoding and do not
try to decode it.

This "different" style of encoding is known as %u encoding. The purpose of
this %u encoding seems to be for the ability to represent true
Unicode/wide character strings.

Since %u encoding is not a standard and IDS systems do not decode %u
strings, it is possible for an attacker to %u encode his/her attack
against an IIS web server without an IDS system detecting the attack,
therefore allowing an attacker to successfully perform scans and attacks
against IIS web servers without IDS systems detecting the attacks.

Example:
A good example of how this could have been used in the real world would
have been "stealth CodeRed". The CodeRed worm used the .ida buffer
overflow vulnerability to be able to exploit systems to propagate it.
CodeRed was detected because IDS systems had signatures for the .ida
attacks. However if CodeRed would have had a polymorphic %u encoding
mechanism then it would have easily slipped past most IDS systems because
they detected the .ida attack by looking for ".ida" (or any .ida signature
string) in a web request.

So if an attacker sent a %u encoded request then they could bypass IDS's
checking for ".ida". An example request would look like: GET
/himom.id%u0061 HTTP/1.0

The above request will translate himom.id%u0061 to himom.ida and therefore
the request will work properly. The problem is that since %u encoding is
not a standard IDS systems did not know about this IIS specific encoding
and therefore are not properly decoding %u requests and will not detect
these attacks.

Vendor status:
Cisco
"Products that are not affected because they do NOT implement
de-obfuscation, and do not implement attack signatures targeted at
Microsoft operating systems and applications:
Cisco Secure PIX Firewall
Cisco IOS Firewall Feature Set with Intrusion Detection
To get information on how to patch and protect your Cisco products, visit:
 
<http://www.cisco.com/warp/public/707/cisco-intrusion-detection-obfuscation-vuln-pub.shtml> http://www.cisco.com/warp/public/707/cisco-intrusion-detection-obfuscation-vuln-pub.shtml."

ISS (Internet Security Systems)
"ISS X-Force has included a patch for this vulnerability in RealSecure
Network Sensor X-Press Update 3.2. ISS X-Force recommends that all
RealSecure customers download and install the update immediately.
RealSecure X-Press Update 3.2 is now available. RealSecure Network Sensor
customers can download XPU 3.2 from the following address:
 <http://www.iss.net/db_data/xpu/RS.php>
http://www.iss.net/db_data/xpu/RS.php
RealSecure Server Sensor version 6.0.1 includes a fix for this
vulnerability. RealSecure Server Sensor 6.0.1 will be available for
download on September 4, 2001. ISS X-Force recommends that all RealSecure
customers upgrade their Windows Server Sensors to version 6.0.1. A patch
is being developed for RealSecure Server Sensor 5.5 and will be available
on or before August 31, 2001 at the ISS Download Center:
 <http://www.iss.net/eval/eval.php> http://www.iss.net/eval/eval.php

BlackICE
BlackICE products are not affected by this vulnerability. Attempts to
exploit this vulnerability will trigger the "HTTP URL bad hex code"
signature. The next BlackICE product update will specifically address
"%u" encoding."

DragonIDS
"Dragon Sensor 4.x was affected. Signatures to detect the new IIS UNICODE
encoding flaw have been available, and a modification to the Web
processing engine is already included in Dragon Sensor 5.0. To obtain
dragon products, visit <http://dragon.enterasys.com>
http://dragon.enterasys.com"

Snort
"Snort 1.8.1 fixes this encoding bug. You can receive it from
<http://snort.sourcefire.com/> http://snort.sourcefire.com/"

ADDITIONAL INFORMATION

The information has been provided by <mailto:marc@eeye.com> Marc
Maiffret.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages