Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Cisco Systems; %u encoding IDS bypass vulnerability

Cisco Systems; %u encoding IDS bypass vulnerability

by Phiber on September 6th, 2001 The two mainstream ways of encoding a url would be UTF (%xx%xx) or just plain hex encode (%xx) where xx are the relevant hex values. Microsoft's IIS Web server does include both of these types of encoding however it also includes a third style of encoding that is not a HTTP standard. Therefore most IDS systems were not aware of his "different" encoding and therefore do not try to decode it.


This "different" style of encoding is known as %u encoding. The purpose of this %u encoding seems to be for the ability to represent true Unicode/wide character strings.

Since %u encoding is not a standard and IDS systems do not decode %u

strings, it is possible for an attacker to %u encode his/her attack against

an IIS web server without an IDS system detecting the attack. Therefore

allowing an attacker to successfully perform scans and attacks against IIS web servers without IDS systems detecting the attacks.

Example:

A good example of how this could have been used in the real world would have been a "stealth CodeRed". The CodeRed worm used the .ida buffer overflow vulnerability to be able to exploit systems to propagate itself. CodeRed was detected because IDS systems had signatures for the .ida attacks. However if CodeRed would have had a polymorphic %u encoding mechanism then it would have easily slipped past most IDS systems because they detected the .ida attack by looking for ".ida" (or any .ida signature string) in a web

request.

So if an attacker sent a %u encoded request then they could bypass IDS's checking for ".ida". An example request would look like:

GET /himom.id%u0061 HTTP/1.0

The above request will translate himom.id%u0061 to himom.ida and therefore the request will work properly. The problem is that since %u encoding is not a standard IDS systems did not know about this IIS specific encoding and therefore are not properly decoding %u requests and will not detect these attacks.

Vendor Status:

Cisco

"Products that are not affected because they do NOT implement

de-obfuscation, and do not implement attack signatures targeted at Microsoft operating systems and applications.

Cisco Secure PIX Firewall

Cisco IOS Firewall Feature Set with Intrusion Detection

To get information on how to patch and protect your Cisco products, visit:

http://www.cisco.com/warp/public/707/cisco-intrusion-detection-obfuscation-vuln-pub.shtml.

FYI:

For an Intrusion Detection system to function properly it must have the

ability to be able to decode (break down) various forms of HTTP encoded

requests such as UTF and hex encoding. Most commercial and freeware IDS (Intrusion Detection Systems) do have the ability to break down UTF and hex encoded request in an effort to analyze them for attack strings.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »