Bugtraq mailing list archives

Re: SurfControl Bypass Vulnerability

From: "Witter, Franklin" <FWitter () BBANDT COM>
Date: Thu, 22 Mar 2001 08:35:26 -0500

This vulnerability exists in version 3.0.2 of SurfControl for MS Proxy.

Not only does it let you hit the first page using the octal address, but it
allows you to surf the entire site.  We tested it on 3 different systems
logged in as different users and were able to make multiple visits to the
same site.

SurfControl has confirmed this to be a vulnerability in this version.  No
ETA for a patch has been given at this point.

-----Original Message-----
From: Don Weber [SMTP:Don () AirLink com]
Sent: Wednesday, March 21, 2001 5:42 PM
To:   Witter, Franklin; BUGTRAQ () SECURITYFOCUS COM
Subject:      RE: SurfControl Bypass Vulnerability

is this with a particular version, I tried it and as usual it lets me
'bypass' the first time but not any subsequent attempts, and if I use the
octal format on one computer, a second or any subsequent computers will
NOT get to the site.

-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of
Witter, Franklin
Sent: Tuesday, March 20, 2001 10:07 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: SurfControl Bypass Vulnerability

It appears that there is yet another way to bypass the site blocking
feature
of SurfControl for MS Proxy.

Our configuration:

We have set up our rules to deny access to anyone attempting to reach
sites
classified as Adult/Sexually Explicit, Hacking, etc.
That would mean that anyone trying to reach www.blockedsite.com would
normally be denied access to the site.

The workaround:

1.  First, do an nslookup on www.blockedsite.com to get the IP address of
the site -- xxx.xxx.xxx.xxx
2.  Next, convert each octet to an octal number using the windows
calculator
-- yyy.yyy.yyy.yyy
3.  Insert eight (8) leading zeros in the first and third octets and seven
(7) leading zeros in the second and fourth octets --
00000000yyy.0000000yyy.00000000yyy.0000000yyy
4.  Type the modified octets into your browser's address bar and, viola!,
your are successfully bypassing the SurfControl filter.

I have contacted SurfControl about this but have had no response.

If anyone has any suggestions for correcting this vulnerability, please
let
me know.

Franklin Witter
Network Security Specialist II
252-246-3546
fax:  252-246-3463
e-mail:  FWitter () BBandT com

Current thread:

SurfControl Bypass Vulnerability Witter, Franklin (Mar 21)
- Re: SurfControl Bypass Vulnerability skelly (Mar 22)
- Re: SurfControl Bypass Vulnerability Don Weber (Mar 22)
- <Possible follow-ups>
- Re: SurfControl Bypass Vulnerability Witter, Franklin (Mar 22)
- Re: SurfControl Bypass Vulnerability Chris St. Clair (Mar 22)
  - Re: SurfControl Bypass Vulnerability Darren Reed (Mar 23)
    - Re: SurfControl Bypass Vulnerability Paul Cardon (Mar 23)
    - Re: SurfControl Bypass Vulnerability Dan Harkless (Mar 25)
    - Re: SurfControl Bypass Vulnerability Ben Ford (Mar 26)
    - Re: SurfControl Bypass Vulnerability Valdis Kletnieks (Mar 26)
    - Re: SurfControl Bypass Vulnerability c0ncept (Mar 26)
    - Re: SurfControl Bypass Vulnerability Ryan Russell (Mar 26)
  - Re: SurfControl Bypass Vulnerability Andrew Moran (Mar 23)
  - Re: SurfControl Bypass Vulnerability Riad S. Wahby (Mar 23)

(Thread continues...)