Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Multiple IDS Vendor Encoded IIS Attack Detection

Multiple IDS Vendor Encoded IIS Attack Detection

by Phiber on September 9th, 2001 The Microsoft IIS web server supports a non-standard method of encoding web requests. Because this method is non-standard, intrusion detection systems may not detect attacks encoded using this method.


This vulnerability only affects intrusion detection systems in environments where '%u' unicode encoding is supported by a webserver (ie, IIS). If there is no webserver support for this encoding method or if it is disabled, there will be no targets to which encoded attacks can be sent.


Note:

Only RealSecure, Dragon and Snort are confirmed vulnerable. It is highly likely that IDS systems from other vendors are vulnerable as well, however we have not recieved confirmation. This record will be updated as more information becomes available regarding affected technologies.


- BlackICE products detect '%u' encoded requests as being invalid, but do not decode them and detect encoded attack signatures.


Solution:


Cisco Secure IDS Host Sensor 2.0:

Cisco upgrade Secure IDS Host Sensor 3.0(2)S6
ftp://ftp-eng.cisco.com/csids-sig-updates/ServicePacks/IDSk9-sp-3.0-1.43-S6-0.43-.bin

Cisco Secure IDS Network Sensor 3.0:

Cisco upgrade Secure IDS Host Sensor 3.0(2)S6
ftp://ftp-eng.cisco.com/csids-sig-updates/ServicePacks/IDSk9-sp-3.0-1.43-S6-0.43-.bin

Enterasys Dragon IDS 4.0:

Enterasys upgrade Dragon IDS 5.0
http://dragon.enterasys.com

Internet Security Systems RealSecure Network Sensor 6.0:

Internet Security Systems hotfix XPU 3.2
http://www.iss.net/db_data/xpu/RSNS 3.2.php

Internet Security Systems RealSecure Network Sensor 5.5.2:

Internet Security Systems hotfix XPU 3.2
http://www.iss.net/db_data/xpu/RSNS 3.2.php

Internet Security Systems RealSecure Network Sensor 5.5.1:

Internet Security Systems hotfix XPU 3.2
http://www.iss.net/db_data/xpu/RSNS 3.2.php

Internet Security Systems RealSecure Network Sensor 5.5:

Internet Security Systems hotfix XPU 3.2
http://www.iss.net/db_data/xpu/RSNS 3.2.php

Internet Security Systems RealSecure Network Sensor 5.0:

Internet Security Systems hotfix XPU 3.2
http://www.iss.net/db_data/xpu/RSNS 3.2.php

Internet Security Systems RealSecure Server Sensor 6.0 Win:

Internet Security Systems upgrade RealSecure Server Sensor 6.0.1 Win


Internet Security Systems RealSecure Server Sensor 5.5.2 Win:

Internet Security Systems upgrade RealSecure Server Sensor 6.0.1 Win


Internet Security Systems RealSecure Server Sensor 5.5.1 Win:

Internet Security Systems upgrade RealSecure Server Sensor 6.0.1 Win


Internet Security Systems patch RealSecure Server Sensor Patch
http://www.iss.net/eval/eval.php

Internet Security Systems RealSecure Server Sensor 5.5 Win:

Internet Security Systems upgrade RealSecure Server Sensor 6.0.1 Win


Internet Security Systems patch RealSecure Server Sensor Patch
http://www.iss.net/eval/eval.php

Internet Security Systems RealSecure Server Sensor 5.0 Win:

Internet Security Systems upgrade RealSecure Server Sensor 6.0.1 Win


Martin Roesch Snort 1.8:

Martin Roesch upgrade snort-1.8.1-RELEASE.tar.gz
http://www.snort.org/releases/snort-1.8.1-RELEASE.tar.gz

Martin Roesch Snort 1.7:

Martin Roesch upgrade snort-1.8.1-RELEASE.tar.gz
http://www.snort.org/releases/snort-1.8.1-RELEASE.tar.gz

Martin Roesch Snort 1.6.3:

Martin Roesch upgrade snort-1.8.1-RELEASE.tar.gz
http://www.snort.org/releases/snort-1.8.1-RELEASE.tar.gz

Martin Roesch Snort 1.6.2:

Martin Roesch upgrade snort-1.8.1-RELEASE.tar.gz
http://www.snort.org/releases/snort-1.8.1-RELEASE.tar.gz

Martin Roesch Snort 1.6.1:

Martin Roesch upgrade snort-1.8.1-RELEASE.tar.gz
http://www.snort.org/releases/snort-1.8.1-RELEASE.tar.gz

Martin Roesch Snort 1.6:

Martin Roesch upgrade snort-1.8.1-RELEASE.tar.gz
http://www.snort.org/releases/snort-1.8.1-RELEASE.tar.gz

Martin Roesch Snort 1.5.2:

Martin Roesch upgrade snort-1.8.1-RELEASE.tar.gz
http://www.snort.org/releases/snort-1.8.1-RELEASE.tar.gz

Martin Roesch Snort 1.5.1:

Martin Roesch upgrade snort-1.8.1-RELEASE.tar.gz
http://www.snort.org/releases/snort-1.8.1-RELEASE.tar.gz

Martin Roesch Snort 1.5:

Martin Roesch upgrade snort-1.8.1-RELEASE.tar.gz
http://www.snort.org/releases/snort-1.8.1-RELEASE.tar.gz


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »