Re: McAfee Web Gateway URL Filtering Bypass


We might be able to fix this by simply doing a ping to the website
before connecting, so that the IP of the host specified matches the
connect field. In any case, the consistency of the host and connect is
indeed a big design flaw.

- Vikram

On Mon, Apr 16, 2012 at 6:12 PM, Gabriel Menezes Nunes
<gab.mnunes@xxxxxxxxx> wrote:
# Exploit Title: McAfee Web Gateway URL Filtering Bypass
# Date: 16/04/2012
# Author: Gabriel Menezes Nunes
# Version: McAfee Web Gateway
# Tested on: McAfee Web Gateway 7.0
# CVE: CVE-2012-2212

I found a vulnerability in McAfee Web Gateway 7 that allows access to
filtered sites.
The appliance believes in the Host field of HTTP Header using CONNECT method.


It is blocked.

CONNECT HTTP/1.1 (without host field)

It is blocked.


Host: (allowed url)

The connection works.

From here, I can send SSL traffic without a problem. This way, I can
access any blocked site that allows SSL connections.
Others test that I did is convert GET methods in CONNECT methods.




It will connect.

and after it is possible to send the GET packets. It will work!

This vulnerability is different from the CONNECT Tunnel method. The
flaw is on the Host field processing. The appliance believes on this

So, any sites can be accessed. URL filtering in this device/software
is irrelevant and useless.
One of the most important (if not the most important) feature of this
kind of device is to protect the network in accessing specific URLs.
So, this flaw is very dangerous, and it can be implemented even in
malwares, bypassing any protection.
I developed a python script that acts like a proxy and it uses this
flaw to access any site.
This tool is just a proof of concept.

Vikram Dhillon

To perceive is to suffer.

Relevant Pages

  • Re: Private LAN, Zone Alarm & Setting Up Remote Desktop - Sorta Stuck
    ... Just call the Remote Desktop host from the RDP ... Since you're connecting over your LAN, you don't have to worry about IP ... the router's hardware firewall and Zone Alarm software firewalls on ...
  • Re: working with mysql
    ... throw new Exception('Error connecting to host. ... I would like to be able to get php to pull the data. ... Did you take out your throw statement and put in the echo like I asked? ...
  • Re: unable to send outbound mail using outlook
    ... Are you using a host that's directly connected to the Internet? ... MVP - Exchange ... Connecting To not open connection to the ...
  • Re: Locally mount vms volumes in Linux
    ... onto the host where SIMH is running and attach it in SIMH? ... If so have a look at Kermit; there are versions for OpenVMS, Linux, DOS ... Then, on the ubuntu host i could start ckermit, connecting via ... target machines, ...
  • PSCP does not copy file - "Cannot create file"
    ... Looking up host "hostname" ... The server's host key is not cached in the registry. ... PuTTY's cache and carry on connecting. ... Initialised HMAC-SHA1 client->server MAC algorithm ...