[Full-disclosure] Evading URL Filtering(websense) software configured in Transparent (or Sniffing) mode, without using a remote proxy.

From: Sledge Hammer (sledge.hammer_at_sinhack.net)
Date: 08/16/05

  • Next message: Morning Wood: "[Full-disclosure] Apple Mac Tiger 10.4 weblog server"
    To: <full-disclosure@lists.grok.org.uk>
    Date: Mon, 15 Aug 2005 18:29:55 -0400
    
    

    The mechanism behind this tool has been known for a while, but we haven't
    seen any published tool yet. So here you go.

    Evading URL Filtering software configured in Transparent (or Sniffing) mode,
    without using a remote proxy.
    http://sinhack.net/URLFilteringEvasion/

    Last update: August 14 2005.
    This tool has been coded in December 2002.
    The vendor is Informed:
    We don't know about SurfControl, but Websense has been informed in December
    2002 when we found this. They also had a copy of this proxy script for over
    a year.

    System Affected:
    Any environment not using a proxy (Check Point Firewall-1, Cisco Pix,
    Whatever...)
    URL filtering software who don't reconstruct HTTP packets before allowing
    them through
      Websense in Sniffing mode
      Websense with Check Point FW-1 in UFP (transparent non proxy)
      Websense with Cisco Pix
      SurfControl in transparent mode (but not personnaly tested)
      Maybe others, but this is what we have been able to try.

    SurfControl SuperScout can be Bypassed Using Split Packets
    http://www.securiteam.com/securitynews/5MP0L004KO.html
     Archived : 20/06/2001 by ndesai01 at tampabay.rr.com (I didn't know at the
    moment of my research...)

      Maybe others, but this is what we have been able to try..

    Disclaimers
    This is a proof of concept. If you do stupid things using this tools, it's
    your fault. We are publishing this because we want the sysadmins to be aware
    that some of their knowledgable users might be able to evade their
    surveillance.

    The following perl script is a proof of concept that allow a user to bypass
    Websense (and possibly any other similar products) when this one is
    installed in UFP mode or in Sniffing mode (ie.: Transparent non proxy).

      
    THE CONCEPT
    The concept behind the weakness is simple: Every time a user asks a web
    page, the browser generates a request that pass through the Firewall.
    Websense (and other products) looks at this request and answers yes or no
    depending if the requested url is in the database. In transparent mode,
    Websense counts on the fact that the firewall will forward the whole request
    at one time. If not, Websense will simply let the packet pass, since this
    packet doesn't look like an http request.

    THE CONSEQUENCE
    If a malicious employee wants to use the Internet without being traced,
    Making use of a tool like this will allow him to bypass the filtering and
    the authentication. Since this has been known for over 4 years, there are
    great chances that they might do it already.

    THE PROOF
    How to test if you are vulnerable without this tool?
    use the Windows telnet client to connect to a remote http site. Be careful
    to type the request by hand and not simply cut and paste the request because
    each character needs to be sent one at a time.
    So:
    telnet www.google.ca 80
    GET / HTTP/1.0[enter][enter]

    You should see the page being displayed at the screen. This can be done even
    if you are not authenticated on the filtering engine.

    If you get a Redirect page, then the filtering software have catched your
    request... too bad, it will not work

    HOW TO PATCH THE PRODUCT
    There is no patch. The behavior is a direct result of how the url filtering
    in transparent mode or the integration with a firewall is done. Check Point
    Smart Defence could be a good way to detect this and PIX already detect
    manual request for SMTP...

    IS THERE A WAY AROUND?
    Yes: Use Websense in Proxy Mode (with any proxy or with the Security Server
    of Check Point). The way around consist of being sure that the whole packet
    is analysed at the same time.

    IS THERE A WAY TO TRACE USERS BYPASSING WEBSENSE?
    Long way: See if all request in the firewall-1 logs match an entry in the
    Websense logs
    Short way: My proxy is crappy and not all request pass through (I
    should correct that). So you might see authentication error for some
    request.

    KNOWN BUGS

        * This proxy is not multi-threaded, so you may have a timeout when
          you have many pictures to download
        * The proxy only handle GET request correctly. POST request might
          not be handled correctly. I also should correct that one day. For
          the others, I don't know... (hey, it's only a proof of concept!)
        * If you try to access a server that is not accessible (bad dns,
          server down, etc.). The proxy will die. There is no handling of
          connection error cos I'm too lazy to code them.
        * The proxy doesn't handle the STOP button. You might need to
          restart the proxy after the transfer has been aborted.

    DOWNLOAD THE SCRIPT: Sakeru.pl
    <http://sinhack.net/URLFilteringEvasion/sakeru.txt> (perl script, tested on
    Windows and Linux)

    INSTALLATION
    Under Windows: you will need Perl for windows (like ActivePerl from
    ActiveState <http://www.activestate.com/Products/ActivePerl/?_x=1>)
    Under Linux: you should already have everything you need.
    Run the script:
    perl -x sakeru.pl
    Configure your browser to use a proxy on localhost port 5050 Surf the tide!!

    http://sinhack.net/URLFilteringEvasion/

    Sledge.Hammer at sinhack.net
    Sinhack Research Labs

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Morning Wood: "[Full-disclosure] Apple Mac Tiger 10.4 weblog server"

    Relevant Pages

    • Re: [Full-disclosure] Websense Enterprise 6.3.3 Policy Bypass
      ... I wouldn't call breaking proxy chaining mitigation, ... there's nothing at all in the Websense database indicating you went ... Now, as far as stripping out the Via header at ISA goes, per RFC 2616... ... "filtered request." ...
      (Full-Disclosure)
    • Re: Proxy Port detection
      ... > In our enterprise we have URL filtering capabilities and we restrict the usual ... how do you filter URLs without a proxy? ... If the following request ...
      (Security-Basics)
    • Re: Proxy Port detection
      ... URL requests that are not going through a proxy just request the ... subpage, such as " GET /index.html " in the HTTP header for example, ... In our enterprise we have URL filtering capabilities ...
      (Security-Basics)
    • Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?
      ... manually trap HTTP REQUEST and forward it onto the server. ... change your proxy settings by clicking the button under the "proxy" tab to ... Cisco 3015 concentrator VPN bruteforce? ... interaction, like a header rewrite on the fly. ...
      (Pen-Test)
    • Re: AOL "proxy" behavior?
      ... > of valid AOL proxy behavior where a request for a single page can go thru ... Spawning multiple proxies to request information that ... > generally only 1 proxy would get. ... then the second had picked up the cookie of the ...
      (Incidents)