Bugtraq mailing list archives
Re: 3Com SuperStack 3 Firewall Content Filter Exploitable Via Telnet
From: Niels Bakker <niels=bugtraq () bakker net>
Date: Wed, 5 Mar 2003 21:44:11 +0100
* bit_logic () s-mail com [Wed 05 Mar 2003, 21:35 CET]: [..]
C:\>telnet www.blockedsite.com 80 GET / HTTP/1.1 Host: www.blockedsite.com Given the nature of Telnet, the request is sent to the server one character at a time; obviously, the filter cannot examine packets with a single character of valid data, so each packet makes it through with no
Actually, in these situations, telnet works line-based. That's also why backspace works (modulo matching terminal emulator and stty settings).
problem. The blocked server waits until it receives all packets, then pieces them together and responds to the request. Incoming traffic isn't monitored, so the user is easily able to receive the source code of the page he requested via telnet.
Does a filtering product exist that has not had this flaw in the past?
Unfortunately, I do not have the necessary equipment at my disposal to further test the exploit, although I know for a fact that it works, at least on firewalls with basic filter configurations. I also have yet to come up with a successful work-around for this bypass, as it occurs at a very low level. If anyone has any ideas, I'm all ears. Thanks.
Force all HTTP traffic via a proxy that sends out its own HTTP requests in one packet; don't try to solve social problems with technical solutions; and above all, realise that filtering in this way is utterly useless censorship. -- Niels. -- subvertise me
Current thread:
- 3Com SuperStack 3 Firewall Content Filter Exploitable Via Telnet bit_logic (Mar 05)
- Re: 3Com SuperStack 3 Firewall Content Filter Exploitable Via Telnet Niels Bakker (Mar 05)
- Re: 3Com SuperStack 3 Firewall Content Filter Exploitable Via Telnet der Mouse (Mar 06)
- Re: 3Com SuperStack 3 Firewall Content Filter Exploitable Via Telnet David G. Andersen (Mar 05)
- Re: 3Com SuperStack 3 Firewall Content Filter Exploitable Via Telnet Niels Bakker (Mar 05)