Multiple intrusion detection systems may be circumvented via %u encoding allowing intruders to launch attacks undetected.
Most intrusion detection systems are capable of decoding URLs that are encoded using either the "UTF" or "hex-encode" encoding schemes. Microsoft's Information Server (IIS) employs both of these encoding schemes. It also makes use of an encoding scheme known as "%u encoding". According to the eEye Digital Security Advisory, "The purpose of this %u encoding seems to be for the ability to represent true Unicode/wide character strings." Because "%u encoding does not appear to be widely utilized by products other than Microsoft's Information Server (IIS), certain intrusion detection systems are not able to properly decode %u encoded requests.
An intruder can pass %u encoded malicious traffic undetected through an intrusion detection system in violation of implied security policies. This will typically be reconnaissance traffic and/or attack traffic directed at an IIS web server.
Contact your vendor for patches.
The CERT Coordination Center thanks eEye Digital Security for their advisory, on which this document is based.
This document was written by Ian A. Finlay.
|Date First Published:||2001-09-07|
|Date Last Updated:||2003-10-30 21:26 UTC|