Corsaire Security Advisory - Symantec Enterprise Firewall (SEF) H TTP URL pattern evasion issue
From: Martin O'Neal (ntbugtraq@CORSAIRE.COM)
Date: 03/26/03
- Previous message: J. Merrill: "Re: Q329170 (MS02-070), Q327984 and slow logoffs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Mar 2003 09:07:54 -0000 From: Martin O'Neal <ntbugtraq@CORSAIRE.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
-- Corsaire Security Advisory --
Title: Symantec Enterprise Firewall (SEF) HTTP URL pattern evasion issue
Date: 24.02.03
Application: Symantec Enterprise Firewall (SEF) 7.0
Environment: Windows NT 4.0, Windows 2000,
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General Distribution
-- Scope --
The aim of this document is to clearly define some issues related to a
URL pattern evasion issue in the HTTP proxy of the Symantec Enterprise
Firewall (SEF) product, as supplied by Symantec Inc. [1]
-- History --
Vendor notified: 24.02.03
Document released: 26.03.03
-- Overview --
The SEF firewall product uses an application proxy strategy to provide
enhanced security features for a variety of common protocols. For the
HTTP proxy, part of this additional functionality allows the firewall to
block URLs based on predefined regular expression patterns.
However, by using URL encoding techniques this pattern matching
functionality can be evaded.
-- Analysis --
The HTTP pattern matching functionality works by analysing the HTTP URL
format and comparing this against a database of predefined signatures.
When an HTTP connection is processed via a rule that is configured to
use the pattern matching functionality, it is checked against the
signature database and if a match is found, the request is blocked with
a 403 Forbidden error.
However, if one of the standard URL encoding techniques (e.g. escaped
encoding, Unicode, UTF-8) is used, then the pattern matching will fail
to trigger and the attack will succeed.
-- Proof of concept --
Step 1: On the firewall host create a rule that allows HTTP traffic and
under the Advanced Services tab include the http.urlpattern setting.
Step 2: Using the Editor open the httpurlpattern.cf file and add in a
new line consisting of only the word "hamster". Save and reconfigure the
firewall.
Step 3: To reproduce this issue, open a standard web browser and connect
to a site that will be included within the scope of the rule created in
the first step (i.e. http://www.gerbil.com). This should result in a
successful connection.
Step 4: If the target pattern created in step 2 is appended to the same
URL (i.e. http://www.gerbil.com/hamster) then the connection should fail
with a 403 Forbidden error.
Step 5: If a form of URL encoding is now used on the URL from step 4,
(i.e. http://www.gerbil.com/h%69mster) then this will pass through the
firewall successfully.
-- Recommendations --
As an interim measure, the documentation that is supplied with the
firewall should be revised to state explicitly that the pattern matching
functionality does not support any form of underlying HTTP encoding
schemes.
Ideally, as a longer term solution the HTTP proxy should be enhanced so
that encoding schemes are resolved and applied prior to performing the
pattern matching function.
Symantec have provided a knowledge base article for customers who wish
to restrict all escaped character sequences in protected URLS, using a
regular expression pattern [2].
-- CVE --
The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0106 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
-- References --
[1] http://enterprisesecurity.symantec.com/products/products.cfm?Pro
ductID=47&EID=0
[2] http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/20030325
07434754
-- Revision --
a. Initial release.
b. Minor revisions.
c. Minor revisions.
d. Revised to include CVE reference.
e. Revised to include Symantec recommendation.
-- Distribution --
This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.
-- Disclaimer --
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.
Copyright 2003 Corsaire Limited. All rights reserved.
----------------------------------------------------------------------
CONFIDENTIALITY: This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited. If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER: Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
----------------------------------------------------------------------
Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF
Telephone: +44(0)1483-226000 Email:info@corsaire.com
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time
Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: J. Merrill: "Re: Q329170 (MS02-070), Q327984 and slow logoffs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
