RE: Bypassing the Finjan SurfinGate URL filter

["Menashe Eliezer" <menashe () finjan com>]

Marc,
Your issues have been escalated to me for resolution. I apologize for any
delay; it is always our intention to respond immediately to any customer or
product-related issue. Apologies aside, I would like to address the issues
you brought up with regard to the Finjan SurfinGate URL List feature.

SurfinGate’s help file makes the following statement regarding the intended
usage of the URL List: "The URL filtering feature is intended for use as a
white list solution, and allows the entry of active content from trusted
sites that may contain code that otherwise violates the organization's
security policy. It can also be used to block known hostile sites, but from
a security point of view, the URL filter has a limited assurance level for
actual code blocking. It is not recommended to trust this list as a strong
black list."

Finjan positions the URL List as a content management feature that gives
system administrators the ability to make security policy exceptions in
order to allow trusted content.  However, the URL List was not designed to
be a strong black list, and that is why the help file currently does not
recommend it for this purpose.  These are known issues. Our proactive
products are based on patented technologies, and the security doesn't
depend on managed lists.
Having said that, we WILL address the matter in an upcoming release as
content management issue. In fact, in April of this year, Finjan announced a
licensing agreement with SurfControl, the URL filtering company. In future
versions of SFG, the SurfControl URL categorization component will be
integrated with SFG for security purposes. This component will not allow
this type of exploit.

Thank you for your interest in Finjan Software and the SurfinGate family of
products. It is our mission to provide the most robust, proactive content
security solutions available in the market. I also thank you in advance for
your patience.  For any future issues, please address them directly to
mcrc () finjan com or support () finjan com as the info () finjan com mailbox is more
of a general marketing communication mailbox.

Ken,
Thank you for your posting.


Regards,
Menashe Eliezer
Manager, Malicious Code Research Center
Finjan Software
http://www.finjan.com/mcrc

Prevention is the best cure!
--


-----Original Message-----
From: Ken Fischer [mailto:kenf () users junebug org]
Sent: Thursday, September 05, 2002 12:01 AM
To: Marc Ruef; mcrc () finjan com
Cc: submissions () packetstormsecurity org; news () securiteam com;
bugtraq () securityfocus com
Subject: Re: Bypassing the Finjan SurfinGate URL filter


Marc,

info () finjan com seems to be a generic "catch-all" address for anything
that doesn't have a more specific purpose.  While I agree that it would
be nice to have a reply, I wouldn't necessarily rely on it for a
critical situation.  Their "support case form" might have been a better
way to get their attention quickly.   :)

In any case, I made one 30 second call to the Finjan support line,
and a *very* helpful individual directed me to contact their Malicious
Code Research Center (mcrc () finjan com).

I am copying them on this reply, so that they have an opportunity to
address your concerns ASAP.

<soapbox>
I urge anyone that is willing to take the time and effort necessary
to write/research vulnerability reports to also be willing to take
a minimum amount of effort to notify the vendor.   If you aren't,
the damage is sometimes worth more than the good that is done.
</soapbox>

Disclaimer: I am not associated in any way with Finjan.  I am simply
a security professional that wants to make sure that the information
is in the hands of the correct people.

Best regards,

--
Ken Fischer, CCNA  <kenf () junebug org>
PGP Fingerprint: 9523 54B6 D67B BBFB 53B3  2F3B 7E81 0891 C495 CB50
--


On Wed, 4 Sep 2002, Marc Ruef wrote:

> Hi!
>
> I've found two possibilities to bypass the Finjan SurfinGate URL filter
> - Tested with Finjan SurfinGate 6.0x on Windows NT 4.0 and 2000.
>
> 1. IP Tunnel
>
> Normally humans use domain- and hostnames instead of IP addresses. Most
> users will add entries like "www.computec.ch" in the URL list of Finjan
> SurfinGate to filter specific webservers.
>
> The main problem is, that the SurfinGate never does a lookup of the
> contacted hostname. Now you can use IP addresses instead of hostnames to
> reach the wanted ressource. A limitation of this bypassing technique is,
> that it does not work with webservers, that use virual hosts.
>
> This problem is very heavy, if you use the SurfinGate as a plugin, where
> the internal processes don't work with hostnames (I think that
> Checkpoint Firewall-1 does it that way). Try to apply a rule to the
> proxy-mechanism for using always hostnames instead of IP addresses.
>
> A possible workaround is to add additionally to the hostnames the used
> IP addresses. Attention if the ressource uses virual hosting or have
> multiple ip addresses. This solution slows down the whole SurfinGate,
> because there is a new filtering line.
>
> 2. Dot/FQDN Tunnel
>
> In the Internet you have to use domain- or hostnames like
> "www.computec.ch" to reach some webservers. Finjan SurfinGate does
> identify the end of a domainname by a slash ("/").
>
> If you add a simple dot at the end of the domainname (e.g.
> "www.computec.ch."), the filtering mechanism could not catch the
> request. The same problem is described for SuperScout in
> http://www.securiteam.com/securityreviews/5SP010U0KQ.html . Additionally
> it is possible to encode the dot like "%2E".
>
> A possible workaround is to add additionally to the normal hostname
> (e.g. "www.computec.ch") the FQDN (fully qualified domain name) like
> "www.computec.ch.". This slows down the whole SurfinGate also, because
> there is a new filtering line.
>
> A tool for automated exploitation and a german analysis of the
> vulnerability is available at
> http://www.computec.ch/software/firewalling/url_filtering-tunnel/
>
> I wrote one and a half week ago an email to info () finjan com and asked
> for some patches or workarounds. It seems that they droped my email and
> I don't even get a reply. I think that they will not publish a patch.
>
> A big thanks fly to Andrea Covello (http://www.covello.ch) and Guerkan
> Senguen (http://www.linuks.mine.nu) for helping me discovering this
> thread.
>
> Bye, Marc
>
> --
> Computer, Technik und Security
> http://www.computec.ch