[ISN] Stealth encoding bypasses IDS protection

From: InfoSec News (isnat_private)
Date: Mon Sep 10 2001 - 23:09:59 PDT

Next message: InfoSec News: "[ISN] New Hotmail Hack Evades Filters"

Previous message: InfoSec News: "[ISN] 3 comments on SSSCA"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.theregister.co.uk/content/55/21573.html

By John Leyden
Posted: 10/09/2001 at 13:02 GMT

Cisco's Intrusion Detection System (IDS) is not the only technology
that fails to protect ISS Web servers against stealth unicode attacks.

An advisory by eEye Digital Security, reports that network and server
sensors from ISS, Dragon Sensor 4.x, Snort (prior to version 1.8.1)
and components of Cisco Secure IDS are affected by the issue. Symantec
and Network Associates have stated that their products are not
vulnerable.

Links to patches and advisories from vendors affected by the issue
have been collated by Security Focus and can be found here.

Last week we reported that Cisco had to alert its customers about the
problem only a day after announcing enhancements to its Secure IDS
products..

In fact the non-standard method of encoding Web requests (called
'%u'), which Microsoft's IIS supports but an IDS fails to decode, can
allow the creation of an attack which bypasses the IDS set-ups of most
vendors.

In practice, this means an attacker could modify a web-based attack,
such as a "stealth" Code Red, so that requests are encoded with '%u'
Unicode encoding, in order to get around IDS protection.

The obfuscation method works only because IIS permits a non-standard
decode of html (so Apache servers, for example, are not affected).

It's worth remembering that avoiding IDS detection is only the first
stage in an attack. The second stage - the compromise of the ISS Web
server - is where the damage is done. Webmasters can easily stop such
an attack by use of the latest security patches. But as we know, many
companies are ill-disciplined in applying security patches as they
come out.

IDS products, which inspect network traffic and raise alerts over
suspect packets, are used for the secondary protection of IIS servers,
so making sure they aren't fooled, still merits attention.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.

Next message: InfoSec News: "[ISN] New Hotmail Hack Evades Filters"
Previous message: InfoSec News: "[ISN] 3 comments on SSSCA"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 11 2001 - 01:58:09 PDT