Vulnerability discovered in SpearHead NetGap

Background

SpearHead's NetGAP™ appliance physically disconnects a company's network
from the Internet. The product consists of two separate computers, an
Untrusted CPU and a Trusted CPU, that are never directly connected at any
given time.

NetGap™ includes a content checking engine. This engine supports the
filtering of specified file types, while being downloaded over HTTP. For
example, the security administrator can prevent internal users from
downloading executable (.exe) files by using the content checking engine to
filter exe files.

The problem

Using Unicode encoding techniques, a user (or a malicious web site) can
bypass
NetGap's filtering engine.

Status

The vendor has acknowledged the vulnerability and will release a patch in
the next few days.
Vendor was informed on 15 May 2001.

Details

Web servers accept Unicode representation of characters in the URL by using
a "%nn" notation. The NetGap™ URL filter does not interpret correctly URLs
containing Unicode representation of characters. Consequently, the file
http://www.target.com/evilfile.exe will go undetected by NetGap™ if
represented as http://www.target.com/evilfile.ex%65. However, when this URL
reaches the web server, it will be interpreted exactly the same as
http://www.target.com/evilfile.exe and the file will be downloaded into the
user's desktop.

Solution

Do not rely on NetGap™ for URL filtering until vendor releases a fix.

====================
Discovered by:
eDvice Security Services
[email protected]
http://www.edvicetech.com
Tel: +972-3-6120133
Fax: +972-3-6954837