what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Mar 29, 2003
Authored by Martin O'Neal

Corsaire Security Advisory - The Symantec Enterprise Firewall (SEF) 7.0 allows URLs to be blocked based on predefined regular expression patterns. Utilizing URL encoding techniques this functionality can be evaded.

tags | advisory
SHA-256 | 88ab8f83030a662c57788624994d6f9339a65e39faa21fe5b363fa5e8832223d


Change Mirror Download

-- Corsaire Security Advisory --

Title: Symantec Enterprise Firewall (SEF) HTTP URL pattern evasion issue
Date: 24.02.03
Application: Symantec Enterprise Firewall (SEF) 7.0
Environment: Windows NT 4.0, Windows 2000,
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General Distribution

-- Scope --

The aim of this document is to clearly define some issues related to a
URL pattern evasion issue in the HTTP proxy of the Symantec Enterprise
Firewall (SEF) product, as supplied by Symantec Inc. [1]

-- History --

Vendor notified: 24.02.03
Document released: 26.03.03

-- Overview --

The SEF firewall product uses an application proxy strategy to provide
enhanced security features for a variety of common protocols. For the
HTTP proxy, part of this additional functionality allows the firewall to
block URLs based on predefined regular expression patterns.

However, by using URL encoding techniques this pattern matching
functionality can be evaded.

-- Analysis --

The HTTP pattern matching functionality works by analysing the HTTP URL
format and comparing this against a database of predefined signatures.

When an HTTP connection is processed via a rule that is configured to
use the pattern matching functionality, it is checked against the
signature database and if a match is found, the request is blocked with
a 403 Forbidden error.

However, if one of the standard URL encoding techniques (e.g. escaped
encoding, Unicode, UTF-8) is used, then the pattern matching will fail
to trigger and the attack will succeed.

-- Proof of concept --

Step 1: On the firewall host create a rule that allows HTTP traffic and
under the Advanced Services tab include the http.urlpattern setting.

Step 2: Using the Editor open the httpurlpattern.cf file and add in a
new line consisting of only the word "hamster". Save and reconfigure the

Step 3: To reproduce this issue, open a standard web browser and connect
to a site that will be included within the scope of the rule created in
the first step (i.e. http://www.gerbil.com). This should result in a
successful connection.

Step 4: If the target pattern created in step 2 is appended to the same
URL (i.e. http://www.gerbil.com/hamster) then the connection should fail
with a 403 Forbidden error.

Step 5: If a form of URL encoding is now used on the URL from step 4,
(i.e. http://www.gerbil.com/h%69mster) then this will pass through the
firewall successfully.

-- Recommendations --

As an interim measure, the documentation that is supplied with the
firewall should be revised to state explicitly that the pattern matching
functionality does not support any form of underlying HTTP encoding

Ideally, as a longer term solution the HTTP proxy should be enhanced so
that encoding schemes are resolved and applied prior to performing the
pattern matching function.

Symantec have provided a knowledge base article for customers who wish
to restrict all escaped character sequences in protected URLS, using a
regular expression pattern [2].

-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0106 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

-- References --

[1] http://enterprisesecurity.symantec.com/products/products.cfm?Pro
[2] http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/20030325

-- Revision --

a. Initial release.
b. Minor revisions.
c. Minor revisions.
d. Revised to include CVE reference.
e. Revised to include Symantec recommendation.

-- Distribution --

This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.

-- Disclaimer --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.

Copyright 2003 Corsaire Limited. All rights reserved.
Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By