{"vuid":"VU#548515","idnumber":"548515","name":"Multiple intrusion detection systems may be circumvented via %u encoding","keywords":["Intrusion Detection System","IDS","GET requests","bypass security mechanism","unicode","%u006b"],"overview":"Multiple intrusion detection systems may be circumvented via %u encoding allowing intruders to launch attacks undetected.","clean_desc":"Most intrusion detection systems are capable of decoding URLs that are encoded using either the \"UTF\" or \"hex-encode\" encoding schemes. Microsoft's Information Server (IIS) employs both of these encoding schemes. It also makes use of an encoding scheme known as \"%u encoding\". According to the eEye Digital Security Advisory, \"The purpose of this %u encoding seems to be for the ability to represent true Unicode/wide character strings.\" Because \"%u encoding does not appear to be widely utilized by products other than Microsoft's Information Server (IIS), certain intrusion detection systems are not able to properly decode %u encoded requests.","impact":"An intruder can pass %u encoded malicious traffic undetected through an intrusion detection system in violation of implied security policies. This will typically be reconnaissance traffic and/or attack traffic directed at an IIS web server.","resolution":"Contact your vendor for patches.","workarounds":"","sysaffected":"","thanks":"The CERT Coordination Center thanks eEye Digital Security for their advisory, on which this document is based.","author":"This document was written by Ian A. Finlay.","public":["http://www.securityfocus.com/bid/3292","http://www.eeye.com/html/Research/Advisories/index.html","http://www.iss.net/db_data/xpu/RS.php","http://www.iss.net/eval/eval.php","http://www.cisco.com/warp/public/707/cisco-intrusion-detection-obfuscation-vuln-pub.shtml"],"cveids":["CVE-2001-0669"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2001-09-06T12:50:04Z","publicdate":"2001-09-05T00:00:00Z","datefirstpublished":"2001-09-07T21:10:06Z","dateupdated":"2003-10-30T21:26:28Z","revision":47,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"15","cam_population":"10","cam_impact":"5","cam_easeofexploitation":"20","cam_attackeraccessrequired":"20","cam_scorecurrent":"13.125","cam_scorecurrentwidelyknown":"13.125","cam_scorecurrentwidelyknownexploited":"20.625","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":13.125,"vulnote":null}