RE: Bypassing website filter in SonicWall

From: Brian J. Gaia (bjgaiaat_private)
Date: Wed Oct 30 2002 - 19:47:56 PST

Next message: secureat_private: "[CLA-2002:539] Conectiva Linux Security Announcement - ypserv"

Previous message: Clark Mills: "Re: Gimp: Erased sections of images print in some cases"
Maybe in reply to: Marc Ruef: "Bypassing website filter in SonicWall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

That weakness would exist in any product that filters by domain name,
because many of them will not perform a reverse DNS lookup. This would be
the behavior of most home products (such as Cyberpatrol) which allow an
administrator to specify forbidden domains, but if I wanted to see the site
bad enough I would just ping/tracert/etc to get the IP address. In most
cases the filter will not capture the IP address because all the admin knew
to enter was the domain name.

SonicWall could (and should) resolve this by adding Reverse DNS lookup to
the Forbidden Domains list. That would possibly slow down Internet traffic
on the LAN side but the admin could disable it if they wish. Also if the
reverse DNS fails it could give the admin the option to block the site or
allow it anyway.

Brian J. Gaia
Print Shop & Information Systems Assistant
Webmaster, Pure and Undefiled Religion (PURE)
Church of the Open Door


-----Original Message-----
From: Marc Ruef [mailto:marc.ruefat_private]
Sent: Tuesday, October 29, 2002 2:36 PM
To: bugtraqat_private; newsat_private
Subject: Bypassing website filter in SonicWall


Hi!

I found a little weakness in SonicWall: I turn on the blocking
mechanism for websites (e.g. www.google.com). Now I can't reach
the website using the domainname. But if I choose the IP address of the
host (e.g. http://216.239.53.101/), I can contact the forbidden
website. The same issue I've discovered for NetGear FM114P in
http://online.securityfocus.com/bid/5667

It would make sense if you can do an internal nslookup. Otherwise the
user can do a workaround and adding always the ip address(es) of the
blocked websites. But this can cause some problems if there were some
virtual hostings. A smart attacker can use some dottless-ips to bypass
the new workaround IP filter. The box will sadly loose performance
because of the additional filter line(s).

My description was sent on 02/10/15 to infoat_private - No response
came back. The blocking URL message style and problem reminds my the
website blocking mechanism by NetGears FM114P. It could be that both
use the same mechanism (by a 3rd party?). So, if the bug is fixed for
one box the other will also be fixed - I think so.

Bye, Marc

--
Computer, Technik und Security
http://www.computec.ch

Next message: secureat_private: "[CLA-2002:539] Conectiva Linux Security Announcement - ypserv"
Previous message: Clark Mills: "Re: Gimp: Erased sections of images print in some cases"
Maybe in reply to: Marc Ruef: "Bypassing website filter in SonicWall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 01 2002 - 13:32:30 PST