Symantec Enterprise Firewall Lets Remote Users Bypass URL Blocking
SecurityTracker Alert ID: 1006384|
SecurityTracker URL: http://securitytracker.com/id/1006384
(Links to External Site)
Date: Mar 26 2003
Host/resource access via network|
Vendor Confirmed: Yes Exploit Included: Yes |
A vulnerability was reported in the Symantec Enterprise Firewall. A remote user can bypass URL blocking restrictions.|
Corsaire issued an advisory warning that the HTTP proxy's URL blocking feature can be defeated. A remote user can reportedly use URL encoding techniques to bypass the firewall's blocking mechanism and access URLs that should, according to the firewall's configured URL regular expression patterns, be blocked by the firewall. The report indicates that the standard URL encoding techniques, including escaped encoding, Unicode, and UTF-8, can be used.
A remote user can bypass the URL blocking mechanism.|
No solution was available at the time of this entry.|
As a workaround, Symantec has issued a knowledge base article to describe how to block URLs that contain any escaped character sequences, available at:
Vendor URL: enterprisesecurity.symantec.com/products/products.cfm?ProductID=47&EID=0 (Links to External Site)
Input validation error|
|Underlying OS: UNIX (Solaris - SunOS), Windows (NT), Windows (2000)|
Source Message Contents
Subject: [VulnWatch] Corsaire Security Advisory - Symantec Enterprise Firewall (SEF) H|
-- Corsaire Security Advisory --
Title: Symantec Enterprise Firewall (SEF) HTTP URL pattern evasion issue
Application: Symantec Enterprise Firewall (SEF) 7.0
Environment: Windows NT 4.0, Windows 2000,
Author: Martin O'Neal [email@example.com]
Audience: General Distribution
-- Scope --
The aim of this document is to clearly define some issues related to a
URL pattern evasion issue in the HTTP proxy of the Symantec Enterprise
Firewall (SEF) product, as supplied by Symantec Inc. 
-- History --
Vendor notified: 24.02.03
Document released: 26.03.03
-- Overview --
The SEF firewall product uses an application proxy strategy to provide
enhanced security features for a variety of common protocols. For the
HTTP proxy, part of this additional functionality allows the firewall to
block URLs based on predefined regular expression patterns.
However, by using URL encoding techniques this pattern matching
functionality can be evaded.
-- Analysis --
The HTTP pattern matching functionality works by analysing the HTTP URL
format and comparing this against a database of predefined signatures.
When an HTTP connection is processed via a rule that is configured to
use the pattern matching functionality, it is checked against the
signature database and if a match is found, the request is blocked with
a 403 Forbidden error.
However, if one of the standard URL encoding techniques (e.g. escaped
encoding, Unicode, UTF-8) is used, then the pattern matching will fail
to trigger and the attack will succeed.
-- Proof of concept --
Step 1: On the firewall host create a rule that allows HTTP traffic and
under the Advanced Services tab include the http.urlpattern setting.
Step 2: Using the Editor open the httpurlpattern.cf file and add in a
new line consisting of only the word "hamster". Save and reconfigure the
Step 3: To reproduce this issue, open a standard web browser and connect
to a site that will be included within the scope of the rule created in
the first step (i.e. http://www.gerbil.com). This should result in a
Step 4: If the target pattern created in step 2 is appended to the same
URL (i.e. http://www.gerbil.com/hamster) then the connection should fail
with a 403 Forbidden error.
Step 5: If a form of URL encoding is now used on the URL from step 4,
(i.e. http://www.gerbil.com/h%69mster) then this will pass through the
-- Recommendations --
As an interim measure, the documentation that is supplied with the
firewall should be revised to state explicitly that the pattern matching
functionality does not support any form of underlying HTTP encoding
Ideally, as a longer term solution the HTTP proxy should be enhanced so
that encoding schemes are resolved and applied prior to performing the
pattern matching function.
Symantec have provided a knowledge base article for customers who wish
to restrict all escaped character sequences in protected URLS, using a
regular expression pattern .
-- CVE --
The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0106 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
-- References --
-- Revision --
a. Initial release.
b. Minor revisions.
c. Minor revisions.
d. Revised to include CVE reference.
e. Revised to include Symantec recommendation.
-- Distribution --
This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.
-- Disclaimer --
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
Copyright 2003 Corsaire Limited. All rights reserved.