[ISN] Stealth encoding bypasses IDS protection

From: InfoSec News (isnat_private)
Date: Mon Sep 10 2001 - 23:09:59 PDT

  • Next message: InfoSec News: "[ISN] New Hotmail Hack Evades Filters"

    By John Leyden
    Posted: 10/09/2001 at 13:02 GMT
    Cisco's Intrusion Detection System (IDS) is not the only technology
    that fails to protect ISS Web servers against stealth unicode attacks.
    An advisory by eEye Digital Security, reports that network and server
    sensors from ISS, Dragon Sensor 4.x, Snort (prior to version 1.8.1)
    and components of Cisco Secure IDS are affected by the issue. Symantec
    and Network Associates have stated that their products are not
    Links to patches and advisories from vendors affected by the issue
    have been collated by Security Focus and can be found here.
    Last week we reported that Cisco had to alert its customers about the
    problem only a day after announcing enhancements to its Secure IDS
    In fact the non-standard method of encoding Web requests (called
    '%u'), which Microsoft's IIS supports but an IDS fails to decode, can
    allow the creation of an attack which bypasses the IDS set-ups of most
    In practice, this means an attacker could modify a web-based attack,
    such as a "stealth" Code Red, so that requests are encoded with '%u'
    Unicode encoding, in order to get around IDS protection.
    The obfuscation method works only because IIS permits a non-standard
    decode of html (so Apache servers, for example, are not affected).
    It's worth remembering that avoiding IDS detection is only the first
    stage in an attack. The second stage - the compromise of the ISS Web
    server - is where the damage is done. Webmasters can easily stop such
    an attack by use of the latest security patches. But as we know, many
    companies are ill-disciplined in applying security patches as they
    come out.
    IDS products, which inspect network traffic and raise alerts over
    suspect packets, are used for the secondary protection of IIS servers,
    so making sure they aren't fooled, still merits attention.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 11 2001 - 01:58:09 PDT