Various problems in Ternd Micro AppletTrap URL filtering

From: eDvice Security Services (supportat_private)
Date: Mon Jul 09 2001 - 09:34:34 PDT

Next message: Chris Adams: "Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3)"

Previous message: Jochen Bauer: "Check Point FireWall-1 RDP Bypass Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Monday 9 July 2001

eDvice Security Services Advisory - Various problems in Trend Micro
AppletTrap URL filtering

Product Background
------------------
Trend Micro AppletTrap is a product for blocking malicious Java applets,
malicious JavaScript and unsecured ActiveX controls at the gateway. The
product includes an option for URL filtering.

Scope
-----
eDvice recently conducted a test of AppletTrap's ability to filter URLs at
the gateway. AppletTrap includes the ability to restrict access to selected
URLs. It does not include the option to restrict access to all URLs except
for selected URLs.

The Findings
------------
AppletTrap includes some design and implementation flaws, which allow an
attacker to easily bypass restrictions set by the product administrator.
This can be used by internal users to bypass AppletTrap's restrictions and
by authorized web servers to redirect the user to unauthorized web servers.

Details
-------
We found four problems with AppletTrap's URL filtering mechanism:

1) Double slash: Restricted access to http://source.com/restricted could be
bypassed by typing: http://source.com//restricted.

2) URL encoding: The same restriction could also be bypassed by typing:
http://source.com/r%65stricted

3) Resolving IP addresses: The same restriction could be bypassed by typing
the IP address of source.com instead of the domain name (the opposite
scenario works as well. I.e. bypassing IP address restriction by using the
domain name).

4) Dot notation: Restricting access to a certain IP address (e.g.
http://192.16.100.100) could be bypassed by typing: http://192.016.100.100
or even http://00192.16.100.100

Version Tested
--------------
AppletTrap 2.0

Status
------
Trend Micro was notified on 28 June 2001. The problem was escalated to their
QA department on the same day. We haven't received any further information
from Trend Micro.

Solution
--------
Do not rely on Trend Micro AppletTrap for URL filtering until Trend Micro
fixes the problems.



Discovered by eDvice on 28 June 2001.
http://www.edvicesecurity.com/vul26.htm
supportat_private

Next message: Chris Adams: "Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3)"
Previous message: Jochen Bauer: "Check Point FireWall-1 RDP Bypass Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 09 2001 - 09:10:04 PDT