Microsoft IIS %u Unicode wide character encoding detected

iis-unicode-wide-encoding (6995)

High Risk

Description:

Microsoft Internet Information Server (IIS) allows wide characters to be Unicode encoded in URL requests in a format that uses "%u". Such encoded characters appear as "%uXXXX", where "XXXX" represents hexadecimal characters (0-9, A-F). For example, the character 'a' can be encoded as "%u0061" . A remote attacker can use this form of encoding to attempt to bypass intrusion detection systems.

Many public ".ida" overflow exploits (including the CodeRed worms) use this type of encoding when executing a buffer overflow attempt.

Platforms Affected:

• Cisco, Intrusion Detection System
• Enterasys, Dragon Sensor
• IBM, ISS RealSecure Network 5.0
• IBM, ISS RealSecure Network 6.0
• IBM, ISS RealSecure Network 6.5
• IBM, ISS RealSecure Server Sensor 5.5
• IBM, ISS RealSecure Server Sensor 6.0
• Snort, Snort 1.5
• Snort, Snort 1.5.1
• Snort, Snort 1.5.2
• Snort, Snort 1.6
• Snort, Snort 1.6.1
• Snort, Snort 1.6.2
• Snort, Snort 1.6.3
• Snort, Snort 1.7
• Snort, Snort 1.8.0

Remedy:

For RealSecure Network Sensor 5.x, 6.x: Apply the latest RealSecure Network Sensor X-Press Update (XPU 3.2 or later), as listed in Internet Security Systems Security Alert #95. See References. For RealSecure Server Sensor 6.0: Upgrade to the latest version of RealSecure Server Sensor (6.0.1 or later), as listed in Internet Security Systems Security Alert #95. See References. For Cisco Secure Intrusion Detection System (Netranger): Apply the latest service pack as listed in Cisco Systems Field Notice, September 5, 2001. See References. For Snort prior to 1.8.1: Upgrade to the latest version of Snort (1.8.1 or later) available at: http://www.snort.org/downloads.html

Consequences:

Bypass Security

References:

• CIAC Information Bulletin L-139, Microsoft IIS "%u encoding IDS bypass vulnerability" at http://www.ciac.org/ciac/bulletins/l-139.shtml.
• CIAC Information Bulletin M-001, Cisco Secure IDS Signature Obfuscation Vulnerability at http://www.ciac.org/ciac/bulletins/m-001.shtml.
• Cisco Systems Field Notice, September 5, 2001, Cisco Secure Intrusion Detection System Signature Obfuscation Vulnerability at http://www.cisco.com/warp/public/707/cisco-intrusion-detection-obfuscation-vuln-pub.shtml.
• eEye Digital Security Advisory AD20010705, %u encoding IDS bypass vulnerability at http://www.eeye.com/html/Research/Advisories/AD20010705.html.
• Internet Security Systems Security Alert #95, Multiple Vendor IDS Unicode Bypass Vulnerability at http://www.iss.net/xforce/alerts/id/advise95.
• BID-3292: Multiple IDS Vendor Encoded IIS Attack Detection Evasion Vulnerability
• CVE-2001-0669: Various Intrusion Detection Systems (IDS) including (1) Cisco Secure Intrusion Detection System, (2) Cisco Catalyst 6000 Intrusion Detection System Module, (3) Dragon Sensor 4.x, (4) Snort before 1.8.1, (5) ISS RealSecure Network Sensor 5.x and 6.x before XPU 3.2, and (6) ISS RealSecure Server Sensor 5.5 and 6.0 for Windows, allow remote attackers to evade detection of HTTP attacks via non-standard %u Unicode encoding of ASCII characters in the requested URL.

Reported:

Aug 17, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page