Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

Short Name

 HTTP:IIS:ENCODING:UNICODE

Severity

 Info

Recommended

 No

Category

 HTTP

Keywords

 Unicode Encoding in URL

Release Date

 2006/10/20

Update Number

 1213

Supported Platforms

 idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

HTTP: Unicode Encoding in URL


This signatures detects unicode encoding in URLs. Some IPS do not decode unicode in URLs. An attacker can attempt to evade the IPS by using such encoding. Juniper IDP and DI products are not vulnerable to this technique.

Extended Description

The Microsoft IIS web server supports a non-standard method of encoding web requests. Because this method is non-standard, intrusion detection systems may not detect attacks encoded using this method. This vulnerability only affects intrusion detection systems in environments where '%u' unicode encoding is supported by a webserver (ie, IIS). If there is no webserver support for this encoding method or if it is disabled, there will be no targets to which encoded attacks can be sent. **NOTE**: Only RealSecure, Dragon and Snort are confirmed vulnerable. It is highly likely that IDS systems from other vendors are vulnerable as well, however we have not recieved confirmation. This record will be updated as more information becomes available regarding affected technologies. BlackICE products detect '%u' encoded requests as being invalid, but do not decode them and detect encoded attack signatures.

Affected Products

  • Cisco Catalyst 6000 IDS Module
  • Cisco Secure IDS Host Sensor 2.0.0
  • Cisco Secure IDS Network Sensor 3.0.0
  • Cisco Secure Intrusion Detection System (NetRanger)
  • Enterasys Networks Dragon IDS 4.0.0
  • IBM RealSecure Network Sensor 5.0.0
  • IBM RealSecure Network Sensor 5.5.0
  • IBM RealSecure Network Sensor 5.5.1
  • IBM RealSecure Network Sensor 5.5.2
  • IBM RealSecure Network Sensor 6.0.0
  • IBM RealSecure Server Sensor 5.0.0 Win
  • IBM RealSecure Server Sensor 5.5.0 Win
  • IBM RealSecure Server Sensor 5.5.1 Win
  • IBM RealSecure Server Sensor 5.5.2 Win
  • IBM RealSecure Server Sensor 6.0.0 Win
  • NFR Network Intrusion Detection 5.0.0
  • Snort Project Snort 1.5.0
  • Snort Project Snort 1.5.1
  • Snort Project Snort 1.5.2
  • Snort Project Snort 1.6.0
  • Snort Project Snort 1.6.1
  • Snort Project Snort 1.6.2
  • Snort Project Snort 1.6.3
  • Snort Project Snort 1.7.0
  • Snort Project Snort 1.8.0

References

  • BugTraq: 3292
  • CVE: CVE-2001-0669
  • URL: http://www.cisco.com/warp/public/707/cisco-intrusion-detection-obfuscation-vuln-pub.shtml
  • URL: http://www.kb.cert.org/vuls/id/548515
  • URL: http://marc.theaimsgroup.com/?l=bugtraq&m=99972950200602&w=2

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out