-----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert September 5, 2001 Multiple Vendor IDS Unicode Bypass Vulnerability Synopsis: ISS X-Force is aware of a vulnerability in many commercial and open- source IDS (Intrusion Detection System) products that may allow attackers to evade detection. Microsoft Web server products recognize a non-standard Unicode encoding method, which attackers may use to obfuscate HTTP-based attacks and evade IDS detection. Affected Versions: Cisco Secure Intrusion Detection System (formerly known as NetRanger, Sensor component) Cisco Catalyst 6000 Intrusion Detection System Module Dragon Sensor 4.x ISS RealSecure Network Sensor 5.x and 6.x before XPU 3.2 ISS RealSecure Server Sensor 6.0 for Windows ISS RealSecure Server Sensor 5.5 for Windows Snort prior to 1.8.1 ** It has been reported that many other commercial and open-source IDS systems may also be vulnerable. Description: Unicode provides a standard for international character sets by assigning a unique number for each character. It comprises the character repertoire of most commonly used character sets like ASCII, ANSI, ISO-8859, Cyrillic, Greek, Chinese, Japanese and Korean. Unicode encoding of ASCII characters can be used to obfuscate the appearance of an HTTP request, while leaving it functional. This allows attackers to disguise the payload used in an exploit and evade detection. The first major Unicode vulnerability was documented against Microsoft Internet Information Server (IIS) in October 2000. This vulnerability allowed attackers to encode "/", "\" and "." characters to appear as their Unicode counterparts and bypass the security mechanisms within IIS that block directory traversal. Unicode encoding can also be used to evade IDS detection due to a flaw in Microsoft IIS that accepts and interprets non-standard Unicode characters. Examples: The following is a standard HTML GET request without Unicode-escaped characters: GET /attack.html HTTP/1.0 The following shows the same request, using a valid, but escaped Unicode character in place of the letter k: GET /attac%u006b.html HTTP/1.0 This request uses a non-standard form of Unicode, referred to as "%u encoding". This type of encoding can be used to effectively bypass many IDS signatures for IIS-specific vulnerabilities. Recommendations: ISS X-Force has included a patch for this vulnerability in RealSecure Network Sensor X-Press Update 3.2. ISS X-Force recommends that all RealSecure customers download and install the update immediately. RealSecure X-Press Update 3.2 is now available at the following address: http://www.iss.net/db_data/xpu/RS.php Updates for all affected ISS products are now available at the ISS Download Center: http://www.iss.net/eval/eval.php RealSecure Network Sensor 5.x, 6.x: Apply XPU 3.2. RealSecure Server Sensor 5.5: Apply the patch. RealSecure Server Sensor 6.0: Upgrade to Server Sensor 6.0.1. BlackICE products are not affected by this vulnerability. Attempts to exploit this vulnerability will trigger the "HTTP URL bad hex code" signature. BlackICE version 3.0 will specifically address "%u" encoding. Users of other affected IDS products should contact their vendor immediately to obtain a patch or workaround. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2001-0669 to this issue. This is a candidate for inclusion in the CVE list http://cve.mitre.org, which standardizes names for security problems. eEye Digital Security Advisory: http://www.eeye.com/html/Research/Advisories/index.html Credits: ISS X-Force would like to thank eEye Digital Security for bringing this vulnerability to our attention. ______ About Internet Security Systems (ISS) Internet Security Systems is a leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 8,000 customers worldwide including 21 of the 25 largest U.S. commercial banks and the top 10 U.S. telecommunications companies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2001 Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforceat_private for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforceat_private of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBO5e3LDRfJiV99eG9AQEzLwQAkcetQTx7fTYH72T+1jBA8fUjdhgWaFU3 lAXVvPrENl2WSYQIm2kU+hCYxspGLIsudioM6vq8WUp+fJyBM164dPp1DZSiQxAS Pdxbc7Ggz8mZxOST3ogqZOl8cwyNOboP5BiVwebeURTCy7UNnKU5HwVghVjbyYNm EPfItD6H/BY= =N7Ti -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 16:41:55 PDT