*Advisory Information* Title: Astaro Security Gateway - bypass using whitelist domain pattern weakness upSploit Ref: UPS-2011-0041 *Advisory Summary* Astaro Security Gateway's default Web Filtering Exceptions allow specially-named domains to bypass security features of the firewall. *Vendor* Astaro *Affected Software* Astaro Security Gateway "Astaro Security Gateway hardware, software, and virtual appliances provide full Unified Threat Management protection. All platforms include the complete feature set and the same ease-of-use." - http://www.astaro.com/ *Description of Issue* Astaro Security Gateway - Home edition was used, other versions may be affected. In the ASG WebAdmin console, choose Web Security, Web Filtering, Exceptions. The following regular expressions form a default whitelist that allow bypassing of the firewall's features at varying levels to achieve compatibility (one would assume): ^https?://[A-Za-z0-9.-]*adobe.com/ ^https?://[A-Za-z0-9.-]*apple.com/ ^https?://[A-Za-z0-9.-]*windowsupdate.com/ ^https?://[A-Za-z0-9.-]*microsoft.com/ However, a savvy attacker need only serve malware from a drive-by web site named www.exampleadobe.com (which would match the first regular expression above) and the features of the firewall that would be bypassed include: Antivirus / Extension blocking / Content Removal / Authentication / URL Filter. The regular expressions need to be fixed to ensure the domain cannot be prefixed with other letters. *PoC* Use of a domain name such as www.exampleadobe.com to serve up EICAR virus (untested). *Fix* Update to the latest version *Credits* Timeless Prototype *References* http://www.astaro.com/