Lucene search
+L

SurfinGate.txt

🗓️ 05 Sep 2002 00:00:00Reported by Marc RuefType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 36 Views

Bypass methods for Finjan SurfinGate URL filter using IP Tunnel and Dot/FQDN Tunnel techniques.

Code
`Hi!  
  
I've found two possibilities to bypass the Finjan SurfinGate URL filter  
- Tested with Finjan SurfinGate 6.0x on Windows NT 4.0 and 2000.  
  
1. IP Tunnel  
  
Normally humans use domain- and hostnames instead of IP addresses. Most  
users will add entries like "www.computec.ch" in the URL list of Finjan  
SurfinGate to filter specific webservers.  
  
The main problem is, that the SurfinGate never does a lookup of the  
contacted hostname. Now you can use IP addresses instead of hostnames to  
reach the wanted ressource. A limitation of this bypassing technique is,  
that it does not work with webservers, that use virual hosts.  
  
This problem is very heavy, if you use the SurfinGate as a plugin, where  
the internal processes don't work with hostnames (I think that  
Checkpoint Firewall-1 does it that way). Try to apply a rule to the  
proxy-mechanism for using always hostnames instead of IP addresses.  
  
A possible workaround is to add additionally to the hostnames the used  
IP addresses. Attention if the ressource uses virual hosting or have  
multiple ip addresses. This solution slows down the whole SurfinGate,  
because there is a new filtering line.  
  
2. Dot/FQDN Tunnel  
  
In the Internet you have to use domain- or hostnames like  
"www.computec.ch" to reach some webservers. Finjan SurfinGate does  
identify the end of a domainname by a slash ("/").  
  
If you add a simple dot at the end of the domainname (e.g.  
"www.computec.ch."), the filtering mechanism could not catch the  
request. The same problem is described for SuperScout in  
http://www.securiteam.com/securityreviews/5SP010U0KQ.html . Additionally  
it is possible to encode the dot like "%2E".  
  
A possible workaround is to add additionally to the normal hostname  
(e.g. "www.computec.ch") the FQDN (fully qualified domain name) like  
"www.computec.ch.". This slows down the whole SurfinGate also, because  
there is a new filtering line.  
  
A tool for automated exploitation and a german analysis of the  
vulnerability is available at  
http://www.computec.ch/software/firewalling/url_filtering-tunnel/  
  
I wrote one and a half week ago an email to [email protected] and asked  
for some patches or workarounds. It seems that they droped my email and  
I don't even get a reply. I think that they will not publish a patch.  
  
A big thanks fly to Andrea Covello (http://www.covello.ch) and Guerkan  
Senguen (http://www.linuks.mine.nu) for helping me discovering this  
thread.  
  
Bye, Marc  
  
--   
Computer, Technik und Security  
http://www.computec.ch  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

05 Sep 2002 00:00Current
7.4High risk
Vulners AI Score7.4
36