[Snort-users] Well : IIS Unicode attack

Joe Stewart jstewart at ...262...
Fri Jan 26 08:38:39 EST 2001

On Fri, 26 Jan 2001, you wrote:
> According to X-Force this attack can be detected by looking for two
> periods, followed by either 0xC0, 0xC1, 0xE0, 0xF0, 0xF8,
> or 0xFC
> So i looked code in spp_http_decode.c but something i don't understand
> in this code we are looking for % followed by either 0xC0, 0xC1, 0xE0,
> 0xF0, 0xF8,
> or 0xFC
> So who has right ?

The "easy" unicode attack is done through a browser, using %c0, %c1, etc
just like normal URL encoding. They have to have the percent in front of 
them. These are the types of attack that the http preprocessor will detect
every time, with a risk of false positives from Netscape Communicator cookies.

However, it has been discovered that you can send raw unicode bytes to IIS to 
acheive the same exploit, however this requires you to use a specially coded 
application. This is the kind of attack the X-Force signatures would detect, 
although not very often. For instance, I could encode the dots in unicode,
either using raw bytes or urlencoding, or I could mix and match the two. Also
binary data passing over port 80 will generate false positives here.

The short answer is, there is currently no 100% effective way to detect 
unicode attacks in Snort (or any other IDS) until full UTF-8 decoding is 
implemented. And that's no small task.


Joe Stewart  
Information Security Analyst 
jstewart at ...262...   
LURHQ Corporation  

More information about the Snort-users mailing list