Multiple intrusion detection systems may be circumvented via %u encoding allowing intruders to launch attacks undetected.
Most intrusion detection systems are capable of decoding URLs that are encoded using either the "UTF" or "hex-encode" encoding schemes. Microsoft's Information Server (IIS) employs both of these encoding schemes. It also makes use of an encoding scheme known as "%u encoding". According to the eEye Digital Security Advisory, "The purpose of this %u encoding seems to be for the ability to represent true Unicode/wide character strings." Because "%u encoding does not appear to be widely utilized by products other than Microsoft's Information Server (IIS), certain intrusion detection systems are not able to properly decode %u encoded requests.
An intruder can pass %u encoded malicious traffic undetected through an intrusion detection system in violation of implied security policies. This will typically be reconnaissance traffic and/or attack traffic directed at an IIS web server.
Contact your vendor for patches.
The CERT Coordination Center thanks eEye Digital Security for their advisory, on which this document is based.
|Date First Published:||2001-09-07|
|Date Last Updated:||2003-10-30 21:26 UTC|