Finjan's SurfinGuard Pro May Fail To Block Certain Malicious Content
|
|
SecurityTracker Alert ID: 1000946 |
|
SecurityTracker URL: http://securitytracker.com/id/1000946
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Jan 7 2002
|
Original Entry Date: Feb 20 2001
|
Impact:
Host/resource access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 5.5 (beta)
|
Description:
It is reported that Finjan's SurfinGuard Pro 5.5 active content filtering product (a beta release) may fail to filter certain scripts that are programmed to run not when viewed, but when the viewing application is exited.
While a malicious script has been parsed but not fired, an application may be permitted by SurfinGuard Pro to open the malicious script. After the application exits, the script will then fire, thereby circumventing the SurfinGuard Pro filtering protections.
A demonstration exploit is provided in the original message.
|
Impact:
Malicious content (e.g., a web page, an e-mail message) could fail to be blocked by the SurfinGuard Pro software.
|
Solution:
The vendor has released a new version (5.6) that is not vulnerable.
|
Vendor URL: www.finjan.com (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 17 Feb 2001 15:17:26 -0800
Subject: CONTENT.filtering (aka SurfinGuard Pro 5.5 )
|
Saturday, February 17th, 2001
Referring to last month's HTML.dropper posting
(see: http://www.securityfocus.com/bid/2260), detailed examination of "buzz
words" like 'content filtering' 'real-time behaviour monitoring'
'first-strike protection' used to describe many security applications,
suggests otherwise.
For example purposes, we take the examination of one so-called content
filtering application: SurfinGuard Pro 5.5 from an interesting company
called http://www.finjan.com.
While at first glance, this particular security software package does
indeed defeat the HTML.dropper, on closer examination and with a 'bit' of
imagination we find that it is actually quite trivial to defeat.
Specifically, it would seem that in this particular security software
package's case, not only is it checking for legal MIME header
information, e.g. content-disposition:attachment;
content-type:application/malware; filename: iloveyou.vbs, it also prevents
real-time firing of scripts. But in order to defeat that all we need do is
set our scripts to fire on exit. That is, while the actual script has been
parsed but not fired, our malware application is still allowed to open by
this particular security software package . Thereafter onunload, it fires
thus defeating this so-called technology.
Working example below. Harmless "demo" code incorporated:
SurfinGuard Pro 5.5 settings set to "HIGH" and "PANIC MODE"
[right click and save to disk, open in mail client. Constructed for OE5.5]
http://www.malware.com/strikeme.eml
compared to:
http://www.malware.com/madness.eml
which is caught
notes:
1. Tested Software: SurfinGuard Pro 5.5 claims to be BETA and is free-ware.
2. Hopefully the registered versions and other products don't use the same
technology.
3. For good open-source filtering take a look at John D. Hardin's E-mail
Sanitizer
ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html and
Bjarni R. Einarsson's Anomy mail tools http://mailtools.anomy.net/
---
http://www.malware.com
_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/
|
|
