|
|
|
![]() |
Vulnerability Note VU#548515Multiple intrusion detection systems may be circumvented via %u encodingOverviewMultiple intrusion detection systems may be circumvented via %u encoding allowing intruders to launch attacks undetected.I. DescriptionMost intrusion detection systems are capable of decoding URLs that are encoded using either the "UTF" or "hex-encode" encoding schemes. Microsoft's Information Server (IIS) employs both of these encoding schemes. It also makes use of an encoding scheme known as "%u encoding". According to the eEye Digital Security Advisory, "The purpose of this %u encoding seems to be for the ability to represent true Unicode/wide character strings." Because "%u encoding does not appear to be widely utilized by products other than Microsoft's Information Server (IIS), certain intrusion detection systems are not able to properly decode %u encoded requests.II. ImpactAn intruder can pass %u encoded malicious traffic undetected through an intrusion detection system in violation of implied security policies. This will typically be reconnaissance traffic and/or attack traffic directed at an IIS web server.III. SolutionContact your vendor for patches.Systems Affected
References
The CERT Coordination Center thanks eEye Digital Security for their advisory, on which this document is based. This document was written by Ian A. Finlay.
If you have feedback, comments, or additional information about this vulnerability, please send us
email. |
||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||