ISS Alert: Multiple Vendor IDS Unicode Bypass Vulnerability

[X-Force <xforce () iss net>]

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Alert 
September 5, 2001 

Multiple Vendor IDS Unicode Bypass Vulnerability 

Synopsis: 

ISS X-Force is aware of a vulnerability in many commercial and open-
source IDS (Intrusion Detection System) products that may allow
attackers to evade detection. Microsoft Web server products recognize
a non-standard Unicode encoding method, which attackers may use to
obfuscate HTTP-based attacks and evade IDS detection.

Affected Versions: 

Cisco Secure Intrusion Detection System 
  (formerly known as NetRanger, Sensor component)
Cisco Catalyst 6000 Intrusion Detection System Module
Dragon Sensor 4.x
ISS RealSecure Network Sensor 5.x and 6.x before XPU 3.2
ISS RealSecure Server Sensor 6.0 for Windows
ISS RealSecure Server Sensor 5.5 for Windows 
Snort prior to 1.8.1

** It has been reported that many other commercial and open-source IDS
systems may also be vulnerable.

Description: 

Unicode provides a standard for international character sets by
assigning a unique number for each character.  It comprises the
character repertoire of most commonly used character sets like ASCII,
ANSI, ISO-8859, Cyrillic, Greek, Chinese, Japanese and Korean. Unicode
encoding of ASCII characters can be used to obfuscate the appearance of
an HTTP request, while leaving it functional. This allows attackers to
disguise the payload used in an exploit and evade detection. The first
major Unicode vulnerability was documented against Microsoft Internet
Information Server (IIS) in October 2000. This vulnerability allowed
attackers to encode "/", "\" and "." characters to appear as their
Unicode counterparts and bypass the security mechanisms within IIS
that block directory traversal.

Unicode encoding can also be used to evade IDS detection due to a flaw
in Microsoft IIS that accepts and interprets non-standard Unicode
characters. 

Examples:

The following is a standard HTML GET request without Unicode-escaped
characters:

GET /attack.html HTTP/1.0

The following shows the same request, using a valid, but escaped Unicode
character in place of the letter k:

GET /attac%u006b.html HTTP/1.0

This request uses a non-standard form of Unicode, referred to as "%u
encoding". This type of encoding can be used to effectively bypass many
IDS signatures for IIS-specific vulnerabilities.

Recommendations: 

ISS X-Force has included a patch for this vulnerability in RealSecure
Network Sensor X-Press Update 3.2. ISS X-Force recommends that all
RealSecure customers download and install the update immediately.
RealSecure X-Press Update 3.2 is now available at the following address:
http://www.iss.net/db_data/xpu/RS.php
 
Updates for all affected ISS products are now available at the ISS
Download Center:
http://www.iss.net/eval/eval.php

RealSecure Network Sensor 5.x, 6.x:  Apply XPU 3.2.
RealSecure Server Sensor 5.5:        Apply the patch.
RealSecure Server Sensor 6.0:        Upgrade to Server Sensor 6.0.1.

BlackICE products are not affected by this vulnerability. Attempts to
exploit this vulnerability will trigger the "HTTP URL bad hex code"
signature. BlackICE version 3.0 will specifically address "%u" encoding. 

Users of other affected IDS products should contact their vendor
immediately to obtain a patch or workaround. 

Additional Information: 

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2001-0669 to this issue. This is a candidate for inclusion in
the CVE list http://cve.mitre.org, which standardizes names for security
problems.

eEye Digital Security Advisory:
http://www.eeye.com/html/Research/Advisories/index.html 

Credits: 

ISS X-Force would like to thank eEye Digital Security for bringing this
vulnerability to our attention. 
______ 

About Internet Security Systems (ISS) 
Internet Security Systems is a leading global provider of security 
management solutions for the Internet, protecting digital assets and 
ensuring safe and uninterrupted e-business. With its industry-leading 
intrusion detection and vulnerability assessment, remote managed 
security services, and strategic consulting and education offerings, ISS 
is a trusted security provider to more than 8,000 customers worldwide 
including 21 of the 25 largest U.S. commercial banks and the top 10 U.S. 
telecommunications companies. Founded in 1994, ISS is headquartered in 
Atlanta, GA, with additional offices throughout North America and 
international operations in Asia, Australia, Europe, Latin America and 
the Middle East. For more information, visit the Internet Security 
Systems web site at www.iss.net or call 888-901-7477. 

Copyright (c) 2001 Internet Security Systems, Inc. 

Permission is hereby granted for the redistribution of this Alert 
electronically. It is not to be edited in any way without express 
consent of the X-Force. If you wish to reprint the whole or any part 
of this Alert in any other medium excluding electronic medium, please 
e-mail xforce () iss net for permission. 

Disclaimer 

The information within this paper may change without notice. Use of 
this information constitutes acceptance for use in an AS IS condition. 
There are NO warranties with regard to this information. In no event 
shall the author be liable for any damages whatsoever arising out of or 
in connection with the use or spread of this information. Any use of 
this information is at the user's own risk. 

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php 
as well as on MIT's PGP key server and PGP.com's key server. 

Please send suggestions, updates, and comments to: X-Force 
xforce () iss net of Internet Security Systems, Inc. 


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBO5e3LDRfJiV99eG9AQEzLwQAkcetQTx7fTYH72T+1jBA8fUjdhgWaFU3
lAXVvPrENl2WSYQIm2kU+hCYxspGLIsudioM6vq8WUp+fJyBM164dPp1DZSiQxAS
Pdxbc7Ggz8mZxOST3ogqZOl8cwyNOboP5BiVwebeURTCy7UNnKU5HwVghVjbyYNm
EPfItD6H/BY=
=N7Ti
-----END PGP SIGNATURE-----