SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   Symantec Enterprise Firewall (Raptor) Vendors:   Symantec
Symantec Enterprise Firewall Lets Remote Users Bypass URL Blocking
SecurityTracker Alert ID:  1006384
SecurityTracker URL:  http://securitytracker.com/id/1006384
CVE Reference:   CVE-2003-0106   (Links to External Site)
Date:  Mar 26 2003
Impact:   Host/resource access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 7.0
Description:   A vulnerability was reported in the Symantec Enterprise Firewall. A remote user can bypass URL blocking restrictions.

Corsaire issued an advisory warning that the HTTP proxy's URL blocking feature can be defeated. A remote user can reportedly use URL encoding techniques to bypass the firewall's blocking mechanism and access URLs that should, according to the firewall's configured URL regular expression patterns, be blocked by the firewall. The report indicates that the standard URL encoding techniques, including escaped encoding, Unicode, and UTF-8, can be used.

Impact:   A remote user can bypass the URL blocking mechanism.
Solution:   No solution was available at the time of this entry.

As a workaround, Symantec has issued a knowledge base article to describe how to block URLs that contain any escaped character sequences, available at:

http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2003032507434754

Vendor URL:  enterprisesecurity.symantec.com/products/products.cfm?ProductID=47&EID=0 (Links to External Site)
Cause:   Input validation error
Underlying OS:  UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] Corsaire Security Advisory - Symantec Enterprise Firewall (SEF) H



-- Corsaire Security Advisory --

Title: Symantec Enterprise Firewall (SEF) HTTP URL pattern evasion issue
Date: 24.02.03
Application: Symantec Enterprise Firewall (SEF) 7.0
Environment: Windows NT 4.0, Windows 2000, 
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General Distribution


-- Scope --

The aim of this document is to clearly define some issues related to a 
URL pattern evasion issue in the HTTP proxy of the Symantec Enterprise 
Firewall (SEF) product, as supplied by Symantec Inc. [1] 


-- History --

Vendor notified: 24.02.03 
Document released: 26.03.03


-- Overview --

The SEF firewall product uses an application proxy strategy to provide 
enhanced security features for a variety of common protocols. For the
HTTP proxy, part of this additional functionality allows the firewall to 
block URLs based on predefined regular expression patterns.

However, by using URL encoding techniques this pattern matching 
functionality can be evaded.


-- Analysis --

The HTTP pattern matching functionality works by analysing the HTTP URL 
format and comparing this against a database of predefined signatures.

When an HTTP connection is processed via a rule that is configured to 
use the pattern matching functionality, it is checked against the 
signature database and if a match is found, the request is blocked with 
a 403 Forbidden error.

However, if one of the standard URL encoding techniques (e.g. escaped 
encoding, Unicode, UTF-8) is used, then the pattern matching will fail 
to trigger and the attack will succeed.


-- Proof of concept --

Step 1: On the firewall host create a rule that allows HTTP traffic and 
under the Advanced Services tab include the http.urlpattern setting.

Step 2: Using the Editor open the httpurlpattern.cf file and add in a 
new line consisting of only the word "hamster". Save and reconfigure the 
firewall.

Step 3: To reproduce this issue, open a standard web browser and connect 
to a site that will be included within the scope of the rule created in 
the first step (i.e. http://www.gerbil.com). This should result in a 
successful connection. 

Step 4: If the target pattern created in step 2 is appended to the same 
URL (i.e. http://www.gerbil.com/hamster) then the connection should fail 
with a 403 Forbidden error. 

Step 5: If a form of URL encoding is now used on the URL from step 4, 
(i.e. http://www.gerbil.com/h%69mster) then this will pass through the 
firewall successfully.


-- Recommendations --

As an interim measure, the documentation that is supplied with the 
firewall should be revised to state explicitly that the pattern matching 
functionality does not support any form of underlying HTTP encoding 
schemes.

Ideally, as a longer term solution the HTTP proxy should be enhanced so 
that encoding schemes are resolved and applied prior to performing the 
pattern matching function.

Symantec have provided a knowledge base article for customers who wish 
to restrict all escaped character sequences in protected URLS, using a 
regular expression pattern [2].


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0106 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


-- References --

[1] http://enterprisesecurity.symantec.com/products/products.cfm?Pro
    ductID=47&EID=0
[2] http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/20030325
    07434754


-- Revision --

a. Initial release.
b. Minor revisions.
c. Minor revisions.
d. Revised to include CVE reference.
e. Revised to include Symantec recommendation.


-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.


Copyright 2003 Corsaire Limited. All rights reserved. 


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC