exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SymantecFW.txt

SymantecFW.txt
Posted Mar 29, 2003
Authored by Martin O'Neal

Corsaire Security Advisory - The Symantec Enterprise Firewall (SEF) 7.0 allows URLs to be blocked based on predefined regular expression patterns. Utilizing URL encoding techniques this functionality can be evaded.

tags | advisory
SHA-256 | 88ab8f83030a662c57788624994d6f9339a65e39faa21fe5b363fa5e8832223d

SymantecFW.txt

Change Mirror Download

-- Corsaire Security Advisory --

Title: Symantec Enterprise Firewall (SEF) HTTP URL pattern evasion issue
Date: 24.02.03
Application: Symantec Enterprise Firewall (SEF) 7.0
Environment: Windows NT 4.0, Windows 2000,
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General Distribution


-- Scope --

The aim of this document is to clearly define some issues related to a
URL pattern evasion issue in the HTTP proxy of the Symantec Enterprise
Firewall (SEF) product, as supplied by Symantec Inc. [1]


-- History --

Vendor notified: 24.02.03
Document released: 26.03.03


-- Overview --

The SEF firewall product uses an application proxy strategy to provide
enhanced security features for a variety of common protocols. For the
HTTP proxy, part of this additional functionality allows the firewall to
block URLs based on predefined regular expression patterns.

However, by using URL encoding techniques this pattern matching
functionality can be evaded.


-- Analysis --

The HTTP pattern matching functionality works by analysing the HTTP URL
format and comparing this against a database of predefined signatures.

When an HTTP connection is processed via a rule that is configured to
use the pattern matching functionality, it is checked against the
signature database and if a match is found, the request is blocked with
a 403 Forbidden error.

However, if one of the standard URL encoding techniques (e.g. escaped
encoding, Unicode, UTF-8) is used, then the pattern matching will fail
to trigger and the attack will succeed.


-- Proof of concept --

Step 1: On the firewall host create a rule that allows HTTP traffic and
under the Advanced Services tab include the http.urlpattern setting.

Step 2: Using the Editor open the httpurlpattern.cf file and add in a
new line consisting of only the word "hamster". Save and reconfigure the
firewall.

Step 3: To reproduce this issue, open a standard web browser and connect
to a site that will be included within the scope of the rule created in
the first step (i.e. http://www.gerbil.com). This should result in a
successful connection.

Step 4: If the target pattern created in step 2 is appended to the same
URL (i.e. http://www.gerbil.com/hamster) then the connection should fail
with a 403 Forbidden error.

Step 5: If a form of URL encoding is now used on the URL from step 4,
(i.e. http://www.gerbil.com/h%69mster) then this will pass through the
firewall successfully.


-- Recommendations --

As an interim measure, the documentation that is supplied with the
firewall should be revised to state explicitly that the pattern matching
functionality does not support any form of underlying HTTP encoding
schemes.

Ideally, as a longer term solution the HTTP proxy should be enhanced so
that encoding schemes are resolved and applied prior to performing the
pattern matching function.

Symantec have provided a knowledge base article for customers who wish
to restrict all escaped character sequences in protected URLS, using a
regular expression pattern [2].


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0106 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


-- References --

[1] http://enterprisesecurity.symantec.com/products/products.cfm?Pro
ductID=47&EID=0
[2] http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/20030325
07434754


-- Revision --

a. Initial release.
b. Minor revisions.
c. Minor revisions.
d. Revised to include CVE reference.
e. Revised to include Symantec recommendation.


-- Distribution --

This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.


Copyright 2003 Corsaire Limited. All rights reserved.
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close