surfCONTROL SuperScout v2.6.1.6 flaw

From: Mike, C (civat_private)
Date: Wed Feb 02 2000 - 21:28:32 PST

Next message: Keith Warno: "Re: RedHat 6.1 /and others/ PAM"

Previous message: Werner Koch: "Re: Tempfile vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Vulnerable Apps/Platforms:
-So far, surfCONTROL SuperScout 2.6.1.6, Only version 
tested, with rules blocking based on web site category. 
Complete No Access rules still successfully block. 
-Possibly all previous versions.
-This vulnerability voids the ability to block users based 
on category.
-Discovered on NT Server 4.0 SP5

Non-Vulnerable Apps:
-N/A

Vulnerability:
-Blocking Internet access based on surfCONTROL's 
categorization of a particular site.
-Example: Rule - No Access to Adult sites Anytime
-"www.playboy.com" successfully blocked.
-"www.playboy.com." let right through the filter.
-"www.penthouse.com" successfully blocked.
-"www.penthouse.com." let right through the filter.

Exploit:
-One of the product's features is it's ability to block a 
user from viewing a particular web site based on a 
classification database. Inside this database, web sites 
like www.playboy.com are categorized. Among the categories 
are Adult, Gambling, Sports, etc. Rules can be implemented 
based on user, time, category (Example: Disallow Everyone 
to Adult sites at anytime throughout the day)
-With IE5, behind surfCONTROL's rules, attempt to visit a 
restricted site (this will vary on the admin's rules.)
-Add a "." (period) after the blocked URL.
-Access is granted.
-The web site/activity is logged by surfCONTROL, however 
the "." bypasses the categorization. Within the logs, such 
a site will show with a category of "None"

Solution:
-The vendor was notified of this hole on the 7th of 
January, 2000. Subsequent notifications were sent regarding 
the severity of this flaw.
-No patch is available to date.

References:
-Unknown. I have briefly searched to see if this is old 
news, but discovered nothing.

History:
-surfCONTROL tech support was initially contacted with full 
details on this hole and how to duplicate the behavior on 
Jan 7, 2000. 
-No information regarding a patch release or status was 
ever volunteered until two follow-up e-mails were sent 
regarding the severity of this flaw and the timely manner 
to which it should be resolved. 
-I have received an e-mail stating a tentive date of Jan 
31, 2000, for the availability of a downloadable patch from 
the website. Still nothing has been released.

Next message: Keith Warno: "Re: RedHat 6.1 /and others/ PAM"
Previous message: Werner Koch: "Re: Tempfile vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:10 PDT