Microsoft IIS %u Unicode wide character encoding detected
| iis-unicode-wide-encoding (6995) |  High Risk |
Description:
Microsoft Internet Information Server (IIS) allows wide characters to be Unicode encoded in URL requests in a format that uses "%u". Such encoded characters appear as "%uXXXX", where "XXXX" represents hexadecimal characters (0-9, A-F). For example, the character 'a' can be encoded as "%u0061" . A remote attacker can use this form of encoding to attempt to bypass intrusion detection systems.
Many public ".ida" overflow exploits (including the CodeRed worms) use this type of encoding when executing a buffer overflow attempt.
Consequences:
Bypass Security
Remedy:
For RealSecure Network Sensor 5.x, 6.x: Apply the latest RealSecure Network Sensor X-Press Update (XPU 3.2 or later), as listed in Internet Security Systems Security Alert #95. See References. For RealSecure Server Sensor 6.0: Upgrade to the latest version of RealSecure Server Sensor (6.0.1 or later), as listed in Internet Security Systems Security Alert #95. See References. For Cisco Secure Intrusion Detection System (Netranger): Apply the latest service pack as listed in Cisco Systems Field Notice, September 5, 2001. See References. For Snort prior to 1.8.1: Upgrade to the latest version of Snort (1.8.1 or later) available at: http://www.snort.org/downloads.html
References:
- CIAC Information Bulletin L-139: Microsoft IIS "%u encoding IDS bypass vulnerability".
- CIAC Information Bulletin M-001: Cisco Secure IDS Signature Obfuscation Vulnerability.
- Cisco Systems Field Notice, September 5, 2001: Cisco Secure Intrusion Detection System Signature Obfuscation Vulnerability.
- eEye Digital Security Advisory AD20010705: %u encoding IDS bypass vulnerability.
- Internet Security Systems Security Alert #95: Multiple Vendor IDS Unicode Bypass Vulnerability.
- BID-3292: Multiple IDS Vendor Encoded IIS Attack Detection Evasion Vulnerability
- CVE-2001-0669: Various Intrusion Detection Systems (IDS) including (1) Cisco Secure Intrusion Detection System, (2) Cisco Catalyst 6000 Intrusion Detection System Module, (3) Dragon Sensor 4.x, (4) Snort before 1.8.1, (5) ISS RealSecure Network Sensor 5.x and 6.x before XPU 3.2, and (6) ISS RealSecure Server Sensor 5.5 and 6.0 for Windows, allow remote attackers to evade detection of HTTP attacks via non-standard %u Unicode encoding of ASCII characters in the requested URL.
Platforms Affected:
- Cisco Intrusion Detection System
- Enterasys Dragon Sensor
- IBM ISS RealSecure Network 5.0
- IBM ISS RealSecure Network 6.0
- IBM ISS RealSecure Network 6.5
- IBM ISS RealSecure Server Sensor 5.5
- IBM ISS RealSecure Server Sensor 6.0
- Snort Snort 1.5
- Snort Snort 1.5.1
- Snort Snort 1.5.2
- Snort Snort 1.6
- Snort Snort 1.6.1
- Snort Snort 1.6.2
- Snort Snort 1.6.3
- Snort Snort 1.7
- Snort Snort 1.8.0
Reported:
Aug 17, 2001
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net