Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Device (Intrusion Detection)  >   Cisco Catalyst 6000 IDS Module Vendors:   Cisco
Cisco Catalyst 6000 Intrusion Detection System Module Fails to Detect '%u' Encoding Obfuscation Attacks Against Microsoft Web Servers
SecurityTracker Alert ID:  1002330
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 6 2001
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   eEye Digital Security reported a vulnerability in the Cisco Catalyst 6000 Intrusion Detection System Module, as well as several other intrusion detection systems (IDSs). The flaw allows remote users to attack Microsoft Internet Information Server (IIS) web servers without detection.

Microsoft IIS offers a non-standard '%u' URL encoding method for representation of Unicode characters in URLs. The Cisco product does not decode %u strings in URLs. As a result, a remote user can craft an attack against an IIS web server using %u encoding that will not be detected by the intrusion detection system.

For example, the following HTTP request will translate into a request for the file 'himom.ida' but the IDS system will not detect the 'himom.ida' request:

GET / HTTP/1.0

Cisco has assigned Bug ID CSCdv20287 to this vulnerability.

Other products affected are:

Cisco Secure Intrusion Detection System
ISS RealSecure Network Sensor 5.x and 6.x before XPU 3.2
ISS RealSecure Server Sensor 6.x prior to 6.0.1
ISS RealSecure Server Sensor 5.5
Dragon Sensor 4.x
Snort prior to 1.8.1
Network Flight Record (possibly vulnerable)

See separate Alerts for those products.

Impact:   A remote user can issue an attack against Microsoft IIS web servers that will not be detected by the IDS.
Solution:   The vendor notes that this vulnerability will be repaired in service pack 3.0 for the Cisco Catalyst 6000 Intrusion Detection Module. Basic obfuscation detection was reportedly slated for the 3.0 release (early October 2001). A service pack to the 3.0 release will include the full fix (which will follow the 3.0 release by an unspecified period of time).
Vendor URL: (Links to External Site)
Cause:   Input validation error

Message History:   None.

 Source Message Contents

Subject:  %u encoding IDS bypass vulnerability

%u encoding IDS bypass vulnerability

Release Date:
September 5, 2001


Systems Affected:
Cisco Secure Intrusion Detection System, formerly known as NetRanger, Sensor
Cisco Catalyst 6000 Intrusion Detection System Module
ISS RealSecure Network Sensor 5.x and 6.x before XPU 3.2
ISS RealSecure Server Sensor 6.x prior to 6.0.1
ISS RealSecure Server Sensor 5.5
Dragon Sensor 4.x
Snort prior to 1.8.1
NFR (Network Flight Record) is believed to be vulnerable however they have
not responded to our eMails.
Symantec and NAI were contacted but we were told that none of their products
are vulnerable.
Other Intrusion Detection style products (Network based pattern matching)
are probably affected... contact your vendor to be positive if your software
is affected or not.

For an Intrusion Detection system to function properly it must have the
ability to be able to decode (break down) various forms of HTTP encoded
requests such as UTF and hex encoding. Most commercial and freeware IDS
(Intrusion Detection Systems) do have the ability to break down UTF and hex
encoded request in an effort to analyze them for attack strings.

The two mainstream ways of encoding a url would be UTF (%xx%xx) or just
plain hex encode (%xx) where xx are the relevant hex values. Microsoft's IIS
Web server does include both of these types of encoding however it also
includes a third style of encoding that is not a HTTP standard. Therefore
most IDS systems were not aware of this "different" encoding and therefore
do not try to decode it.

This "different" style of encoding is known as %u encoding. The purpose of
this %u encoding seems to be for the ability to represent true Unicode/wide
character strings.

Since %u encoding is not a standard and IDS systems do not decode %u
strings, it is possible for an attacker to %u encode his/her attack against
an IIS web server without an IDS system detecting the attack. Therefore
allowing an attacker to successfully perform scans and attacks against IIS
web servers without IDS systems detecting the attacks.

A good example of how this could have been used in the real world would have
been a "stealth CodeRed". The CodeRed worm used the .ida buffer overflow
vulnerability to be able to exploit systems to propagate itself. CodeRed was
detected because IDS systems had signatures for the .ida attacks. However if
CodeRed would have had a polymorphic %u encoding mechanism then it would
have easily slipped past most IDS systems because they detected the .ida
attack by looking for ".ida" (or any .ida signature string) in a web

So if an attacker sent a %u encoded request then they could bypass IDS's
checking for ".ida". An example request would look like:
GET / HTTP/1.0

The above request will translate to himom.ida and therefore
the request will work properly. The problem is that since %u encoding is not
a standard IDS systems did not know about this IIS specific encoding and
therefore are not properly decoding %u requests and will not detect these

Vendor Status:

"Products that are not affected because they do NOT implement
de-obfuscation, and do not implement attack signatures targeted at Microsoft
operating systems and applications.
Cisco Secure PIX Firewall
Cisco IOS Firewall Feature Set with Intrusion Detection
To get information on how to patch and protect your Cisco products, visit:

ISS (Internet Security Systems)
"ISS X-Force has included a patch for this vulnerability in RealSecure
Network Sensor X-Press Update 3.2.  ISS X-Force recommends that all
RealSecure customers download and install the update immediately. RealSecure
X-Press Update 3.2 is now available.  RealSecure Network Sensor customers
can download XPU 3.2 from the following address:
RealSecure Server Sensor version 6.0.1 includes a fix for this
vulnerability. RealSecure Server Sensor 6.0.1 will be available for download
on September 4, 2001.  ISS X-Force recommends that all RealSecure customers
upgrade their Windows Server Sensors to version 6.0.1.  A patch is being
developed for RealSecure Server Sensor 5.5 and will be available on or
before August 31, 2001 at the ISS Download Center:
BlackICE products are not affected by this vulnerability.  Attempts to

"Dragon Sensor 4.x was affected. Signatures to detect the new IIS UNICODE
encoding flaw have been available, and a modification to the Web processing
engine is already included in Dragon Sensor 5.0. To obtain dragon products,

"Snort 1.8.1 fixes this encoding bug. You can receive it from"

This technique first came to our attention by an exploit written by HSJ. The
%u encoding technique was used in HSJ's .ida buffer overflow exploit however
it was not used to mask the attack to bypass Intrusion Detection Systems
when performing attacks against IIS systems.

Finding security holes is easy, writing advisories that are not dry boring
piles of cow dung, is hard.

Radiohead. Stringbeans. CodeRed.

Copyright (c) 1998-2001 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail for

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Please send suggestions, updates, and comments to:

eEye Digital Security


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC