Full Disclosure mailing list archives
Evading URL Filtering(websense) software configured in Transparent (or Sniffing) mode, without using a remote proxy.
From: "Sledge Hammer" <sledge.hammer () sinhack net>
Date: Mon, 15 Aug 2005 18:29:55 -0400
The mechanism behind this tool has been known for a while, but we haven't seen any published tool yet. So here you go. Evading URL Filtering software configured in Transparent (or Sniffing) mode, without using a remote proxy. http://sinhack.net/URLFilteringEvasion/ Last update: August 14 2005. This tool has been coded in December 2002. The vendor is Informed: We don't know about SurfControl, but Websense has been informed in December 2002 when we found this. They also had a copy of this proxy script for over a year. System Affected: Any environment not using a proxy (Check Point Firewall-1, Cisco Pix, Whatever...) URL filtering software who don't reconstruct HTTP packets before allowing them through Websense in Sniffing mode Websense with Check Point FW-1 in UFP (transparent non proxy) Websense with Cisco Pix SurfControl in transparent mode (but not personnaly tested) Maybe others, but this is what we have been able to try. SurfControl SuperScout can be Bypassed Using Split Packets http://www.securiteam.com/securitynews/5MP0L004KO.html Archived : 20/06/2001 by ndesai01 at tampabay.rr.com (I didn't know at the moment of my research...) Maybe others, but this is what we have been able to try.. Disclaimers This is a proof of concept. If you do stupid things using this tools, it's your fault. We are publishing this because we want the sysadmins to be aware that some of their knowledgable users might be able to evade their surveillance. The following perl script is a proof of concept that allow a user to bypass Websense (and possibly any other similar products) when this one is installed in UFP mode or in Sniffing mode (ie.: Transparent non proxy). THE CONCEPT The concept behind the weakness is simple: Every time a user asks a web page, the browser generates a request that pass through the Firewall. Websense (and other products) looks at this request and answers yes or no depending if the requested url is in the database. In transparent mode, Websense counts on the fact that the firewall will forward the whole request at one time. If not, Websense will simply let the packet pass, since this packet doesn't look like an http request. THE CONSEQUENCE If a malicious employee wants to use the Internet without being traced, Making use of a tool like this will allow him to bypass the filtering and the authentication. Since this has been known for over 4 years, there are great chances that they might do it already. THE PROOF How to test if you are vulnerable without this tool? use the Windows telnet client to connect to a remote http site. Be careful to type the request by hand and not simply cut and paste the request because each character needs to be sent one at a time. So: telnet www.google.ca 80 GET / HTTP/1.0[enter][enter] You should see the page being displayed at the screen. This can be done even if you are not authenticated on the filtering engine. If you get a Redirect page, then the filtering software have catched your request... too bad, it will not work HOW TO PATCH THE PRODUCT There is no patch. The behavior is a direct result of how the url filtering in transparent mode or the integration with a firewall is done. Check Point Smart Defence could be a good way to detect this and PIX already detect manual request for SMTP... IS THERE A WAY AROUND? Yes: Use Websense in Proxy Mode (with any proxy or with the Security Server of Check Point). The way around consist of being sure that the whole packet is analysed at the same time. IS THERE A WAY TO TRACE USERS BYPASSING WEBSENSE? Long way: See if all request in the firewall-1 logs match an entry in the Websense logs Short way: My proxy is crappy and not all request pass through (I should correct that). So you might see authentication error for some request. KNOWN BUGS * This proxy is not multi-threaded, so you may have a timeout when you have many pictures to download * The proxy only handle GET request correctly. POST request might not be handled correctly. I also should correct that one day. For the others, I don't know... (hey, it's only a proof of concept!) * If you try to access a server that is not accessible (bad dns, server down, etc.). The proxy will die. There is no handling of connection error cos I'm too lazy to code them. * The proxy doesn't handle the STOP button. You might need to restart the proxy after the transfer has been aborted. DOWNLOAD THE SCRIPT: Sakeru.pl <http://sinhack.net/URLFilteringEvasion/sakeru.txt> (perl script, tested on Windows and Linux) INSTALLATION Under Windows: you will need Perl for windows (like ActivePerl from ActiveState <http://www.activestate.com/Products/ActivePerl/?_x=1>) Under Linux: you should already have everything you need. Run the script: perl -x sakeru.pl Configure your browser to use a proxy on localhost port 5050 Surf the tide!! http://sinhack.net/URLFilteringEvasion/ Sledge.Hammer at sinhack.net Sinhack Research Labs _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Evading URL Filtering(websense) software configured in Transparent (or Sniffing) mode, without using a remote proxy. Sledge Hammer (Aug 15)