__________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

              Microsoft IIS "%u encoding IDS bypass vulnerability"

September 6, 2001 23:00 GMT                                       Number L-139
______________________________________________________________________________
PROBLEM:       The Microsoft Internet Information Server (IIS) has a non-HTTP 
               standard encoding method.  This Microsoft encoding method
               is named "%u encoding". The encoding style is not recognized
               by a variety of Intrusion Detection Systems (IDS). 
PLATFORM:      Microsoft IIS Web Servers.
DAMAGE:        The use of "%u encoding" allows a malicious party to circumvent 
               an affected IDS security detection. Attackers using this 
               methodology would be hidden from the IDS view. A degradation of 
               the security of a system can take place by attacks not being 
               detected. Automated warning systems based on IDS defenses would
               be defeated. 
SOLUTION:      The following IDS products were listed as affected:
               CISCO
                  Cisco Secure Intrusion Detection System
                     (formerly known as NetRanger, Sensor component)
                  Cisco Catalyst 6000 Intrusion Detection System Module.
               Dragon 
                  Dragon Sensor 4.x 
               ISS 
                  RealSecure Network Sensor 5.x and 6.x before XPU 3.2
                  RealSecure Server Sensor 6.0 for Windows 
                  RealSecure Server Sensor 5.5 for Windows 
               Snort 
                  Snort prior to version 1.8.1 

               Patches/fixes are available as listed in the advisory. Review
               supplemental advisory links, as provided in this bulletin. 
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. This vulnerability has been widely reported 
ASSESSMENT:    in the media. IDS systems should be immediately patched. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:
       http://www.ciac.org/ciac/bulletins/l-139.shtml 
 ORIGINAL BULLETIN:
       http://www.eeye.com/html/Research/Advisories/AD20010705.html 
 CISCO Advisory:
       http://www.cisco.com/warp/public/707/cisco-intrusion-detection-obfuscation-vuln-pub.shtml 
 Securiteam Advisory: 
       http://www.securiteam.com/securitynews/5OP011P5FQ.html 
 X-Force Advisory 
       http://xforce.iss.net/alerts/advise95.php


 PATCHES: 
     ISS:
           All Products - http://www.iss.net/eval/eval.php 
           RealSecure Network Sensor - 
              http://www.iss.net/db_data/xpu/RS.php 
     Cisco 
           Cisco Secure Intrusion Detection System Sensor 
              ftp://ftp-eng.cisco.com/csids-sig-updates/ServicePacks/IDSk9-sp-3.0-1.43-S6-0.43-.bin
                     (read Cisco advisory concerning this fix) 
           Cisco Catalyst 6000 Intrusion Detection Module
              (Will be repaired with the release of service pack 3.0,
               scheduled for October 2001 release).
           Contracted Customers 
              http://www.cisco.com. 
______________________________________________________________________________

[******  Begin eEye Advisory ******]

%u encoding IDS bypass vulnerability

Release Date:
September 5, 2001

Severity:
Medium

Systems Affected:
Cisco Secure Intrusion Detection System, formerly known as NetRanger, Sensor
component.
Cisco Catalyst 6000 Intrusion Detection System Module
ISS RealSecure Network Sensor 5.x and 6.x before XPU 3.2
ISS RealSecure Server Sensor 6.x prior to 6.0.1
ISS RealSecure Server Sensor 5.5
Dragon Sensor 4.x
Snort prior to 1.8.1
NFR (Network Flight Record) is believed to be vulnerable however they have
not responded to our eMails.
Symantec and NAI were contacted but we were told that none of their products
are vulnerable.
Other Intrusion Detection style products (Network based pattern matching)
are probably affected... contact your vendor to be positive if your software
is affected or not.

Description:
For an Intrusion Detection system to function properly it must have the
ability to be able to decode (break down) various forms of HTTP encoded
requests such as UTF and hex encoding. Most commercial and freeware IDS
(Intrusion Detection Systems) do have the ability to break down UTF and hex
encoded request in an effort to analyze them for attack strings.

The two mainstream ways of encoding a url would be UTF (%xx%xx) or just
plain hex encode (%xx) where xx are the relevant hex values. Microsoft's IIS
Web server does include both of these types of encoding however it also
includes a third style of encoding that is not a HTTP standard. Therefore
most IDS systems were not aware of this "different" encoding and therefore
do not try to decode it.

This "different" style of encoding is known as %u encoding. The purpose of
this %u encoding seems to be for the ability to represent true Unicode/wide
character strings.

Since %u encoding is not a standard and IDS systems do not decode %u
strings, it is possible for an attacker to %u encode his/her attack against
an IIS web server without an IDS system detecting the attack. Therefore
allowing an attacker to successfully perform scans and attacks against IIS
web servers without IDS systems detecting the attacks.

Example:
A good example of how this could have been used in the real world would have
been a "stealth CodeRed". The CodeRed worm used the .ida buffer overflow
vulnerability to be able to exploit systems to propagate itself. CodeRed was
detected because IDS systems had signatures for the .ida attacks. However if
CodeRed would have had a polymorphic %u encoding mechanism then it would
have easily slipped past most IDS systems because they detected the .ida
attack by looking for ".ida" (or any .ida signature string) in a web
request.

So if an attacker sent a %u encoded request then they could bypass IDS's
checking for ".ida". An example request would look like:
GET /himom.id%u0061 HTTP/1.0

The above request will translate himom.id%u0061 to himom.ida and therefore
the request will work properly. The problem is that since %u encoding is not
a standard IDS systems did not know about this IIS specific encoding and
therefore are not properly decoding %u requests and will not detect these
attacks.

Vendor Status:

Cisco
"Products that are not affected because they do NOT implement
de-obfuscation, and do not implement attack signatures targeted at Microsoft
operating systems and applications.
Cisco Secure PIX Firewall
Cisco IOS Firewall Feature Set with Intrusion Detection
To get information on how to patch and protect your Cisco products, visit:
http://www.cisco.com/warp/public/707/cisco-intrusion-detection-obfuscation-v
uln-pub.shtml."

ISS (Internet Security Systems)
"ISS X-Force has included a patch for this vulnerability in RealSecure
Network Sensor X-Press Update 3.2.  ISS X-Force recommends that all
RealSecure customers download and install the update immediately. RealSecure
X-Press Update 3.2 is now available.  RealSecure Network Sensor customers
can download XPU 3.2 from the following address:
http://www.iss.net/db_data/xpu/RS.php
RealSecure Server Sensor version 6.0.1 includes a fix for this
vulnerability. RealSecure Server Sensor 6.0.1 will be available for download
on September 4, 2001.  ISS X-Force recommends that all RealSecure customers
upgrade their Windows Server Sensors to version 6.0.1.  A patch is being
developed for RealSecure Server Sensor 5.5 and will be available on or
before August 31, 2001 at the ISS Download Center:
http://www.iss.net/eval/eval.php
BlackICE products are not affected by this vulnerability.  Attempts to
exploit this vulnerability will trigger the "HTTP URL bad hex code"
signature.  The next BlackICE product update will specifically address "%u"
encoding."

DragonIDS
"Dragon Sensor 4.x was affected. Signatures to detect the new IIS UNICODE
encoding flaw have been available, and a modification to the Web processing
engine is already included in Dragon Sensor 5.0. To obtain dragon products,
visit http://dragon.enterasys.com"

Snort
"Snort 1.8.1 fixes this encoding bug. You can receive it from
http://snort.sourcefire.com/"

Credit:
This technique first came to our attention by an exploit written by HSJ. The
%u encoding technique was used in HSJ's .ida buffer overflow exploit however
it was not used to mask the attack to bypass Intrusion Detection Systems
when performing attacks against IIS systems.

Commentary:
Finding security holes is easy, writing advisories that are not dry boring
piles of cow dung, is hard.

Greetings:
Radiohead. Stringbeans. CodeRed.

Copyright (c) 1998-2001 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com

[******  End eEye Advisory  *******]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of eEye Digital Security for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-129: Sun in.ftpd Filename Expansion Vulnerability
L-130: Multiple DoS Vulnerabilities in Cisco Broadband Operating Sy
L-131: IBM AIX telnetd Buffer Overflow
L-132: Microsoft Cumulative Patch for IIS
L-133: Sendmail Debugger Arbitrary Code Execution Vulnerability
L-134: HP  Security Vulnerability in rlpdaemon
L-136: HP-UX   Security Vulnerability in PRM
L-135: SGI File Globbing Vulnerability in ftpd
L-137: FreeBSD lpd Remote Root Vulnerability
L-138: Sun in lpd vulnerability