Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

SurfinGate.txt

🗓️ 05 Sep 2002 00:00:00Reported by Marc RuefType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 32 Views

Bypass methods for Finjan SurfinGate URL filter using IP Tunnel and Dot/FQDN Tunnel techniques.

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`Hi!  
  
I've found two possibilities to bypass the Finjan SurfinGate URL filter  
- Tested with Finjan SurfinGate 6.0x on Windows NT 4.0 and 2000.  
  
1. IP Tunnel  
  
Normally humans use domain- and hostnames instead of IP addresses. Most  
users will add entries like "www.computec.ch" in the URL list of Finjan  
SurfinGate to filter specific webservers.  
  
The main problem is, that the SurfinGate never does a lookup of the  
contacted hostname. Now you can use IP addresses instead of hostnames to  
reach the wanted ressource. A limitation of this bypassing technique is,  
that it does not work with webservers, that use virual hosts.  
  
This problem is very heavy, if you use the SurfinGate as a plugin, where  
the internal processes don't work with hostnames (I think that  
Checkpoint Firewall-1 does it that way). Try to apply a rule to the  
proxy-mechanism for using always hostnames instead of IP addresses.  
  
A possible workaround is to add additionally to the hostnames the used  
IP addresses. Attention if the ressource uses virual hosting or have  
multiple ip addresses. This solution slows down the whole SurfinGate,  
because there is a new filtering line.  
  
2. Dot/FQDN Tunnel  
  
In the Internet you have to use domain- or hostnames like  
"www.computec.ch" to reach some webservers. Finjan SurfinGate does  
identify the end of a domainname by a slash ("/").  
  
If you add a simple dot at the end of the domainname (e.g.  
"www.computec.ch."), the filtering mechanism could not catch the  
request. The same problem is described for SuperScout in  
http://www.securiteam.com/securityreviews/5SP010U0KQ.html . Additionally  
it is possible to encode the dot like "%2E".  
  
A possible workaround is to add additionally to the normal hostname  
(e.g. "www.computec.ch") the FQDN (fully qualified domain name) like  
"www.computec.ch.". This slows down the whole SurfinGate also, because  
there is a new filtering line.  
  
A tool for automated exploitation and a german analysis of the  
vulnerability is available at  
http://www.computec.ch/software/firewalling/url_filtering-tunnel/  
  
I wrote one and a half week ago an email to [email protected] and asked  
for some patches or workarounds. It seems that they droped my email and  
I don't even get a reply. I think that they will not publish a patch.  
  
A big thanks fly to Andrea Covello (http://www.covello.ch) and Guerkan  
Senguen (http://www.linuks.mine.nu) for helping me discovering this  
thread.  
  
Bye, Marc  
  
--   
Computer, Technik und Security  
http://www.computec.ch  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
05 Sep 2002 00:00Current
7.4High risk
Vulners AI Score7.4
bypass methodfinjan surfingateurl filterip tunneldot tunnelfqdnvirtual hosting
32
.json
Report