Bypassing the Finjan SurfinGate URL filter

From: Marc Ruef (marc.ruefat_private)
Date: Wed Sep 04 2002 - 06:27:36 PDT

Next message: Dave Aitel: "SPIKE 2.6 Released..."

Previous message: Martin Schulze: "[SECURITY] [DSA 161-1] New Mantis package fixes privilege escalation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

I've found two possibilities to bypass the Finjan SurfinGate URL filter
- Tested with Finjan SurfinGate 6.0x on Windows NT 4.0 and 2000.

1. IP Tunnel

Normally humans use domain- and hostnames instead of IP addresses. Most
users will add entries like "www.computec.ch" in the URL list of Finjan
SurfinGate to filter specific webservers.

The main problem is, that the SurfinGate never does a lookup of the
contacted hostname. Now you can use IP addresses instead of hostnames to
reach the wanted ressource. A limitation of this bypassing technique is,
that it does not work with webservers, that use virual hosts.

This problem is very heavy, if you use the SurfinGate as a plugin, where
the internal processes don't work with hostnames (I think that
Checkpoint Firewall-1 does it that way). Try to apply a rule to the
proxy-mechanism for using always hostnames instead of IP addresses.

A possible workaround is to add additionally to the hostnames the used
IP addresses. Attention if the ressource uses virual hosting or have
multiple ip addresses. This solution slows down the whole SurfinGate,
because there is a new filtering line.

2. Dot/FQDN Tunnel

In the Internet you have to use domain- or hostnames like
"www.computec.ch" to reach some webservers. Finjan SurfinGate does
identify the end of a domainname by a slash ("/").

If you add a simple dot at the end of the domainname (e.g.
"www.computec.ch."), the filtering mechanism could not catch the
request. The same problem is described for SuperScout in
http://www.securiteam.com/securityreviews/5SP010U0KQ.html . Additionally
it is possible to encode the dot like "%2E".

A possible workaround is to add additionally to the normal hostname
(e.g. "www.computec.ch") the FQDN (fully qualified domain name) like
"www.computec.ch.". This slows down the whole SurfinGate also, because
there is a new filtering line.

A tool for automated exploitation and a german analysis of the
vulnerability is available at
http://www.computec.ch/software/firewalling/url_filtering-tunnel/

I wrote one and a half week ago an email to infoat_private and asked
for some patches or workarounds. It seems that they droped my email and
I don't even get a reply. I think that they will not publish a patch.

A big thanks fly to Andrea Covello (http://www.covello.ch) and Guerkan
Senguen (http://www.linuks.mine.nu) for helping me discovering this
thread.

Bye, Marc

-- 
Computer, Technik und Security
http://www.computec.ch

Next message: Dave Aitel: "SPIKE 2.6 Released..."
Previous message: Martin Schulze: "[SECURITY] [DSA 161-1] New Mantis package fixes privilege escalation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 04 2002 - 11:40:31 PDT