Bugtraq mailing list archives
Re: SurfControl Bypass Vulnerability
From: c0ncept <c0ncept () HUSHMAIL COM>
Date: Mon, 26 Mar 2001 09:54:01 -0800
It seems to be that either the product itself is broken, or the underlying library. IMHO, content filtering does not relate to security; I choose to post on this thread because it's obvious that the products are broken. Disclaimer: I have not seen the source code for any content-filtering software that has been brought up on this list (or any at all for that matter). Two of the methods that have been suggested, converting an IP to it's 32-bit number, and using trailing 0s, could be indicitive of the same thing: thep programs are not checking their input. 32-bit IP numbers and octets with leading spaces are not valid URLs, per the specification. One possibility is that the IP goes through because the user input is blindly passed to gethostbyname(). I suspect the leading 0s work because of blind reliance on atoi() or some such function. In general, passing around user-supplied input strings without examining them is Not A Good thing. It's entirely possible that all care is given to stripping out any possible attack vector: buffers are controlled and format strings stripped out, and what not. But, I'd assume that if a program who's primary function is to parse URLs and make decisions based on them does not even attempt to ascertain whether or not a string passed to it *is* a URL, then they're probably lax on the rest of their code as well. Also, we can tell a great deal about the mechanics of these programs by the way they work: If blocking by IPs ( which, as someone pointed out, isn't necessarily a good idea), the actuall IP structure should be compared against a 'bad' database, NOT a string representation that is then passed to a function to return the final structure. Perhaps actually generating a header (and looking at the IP:Host pair) and making decisions based on this would be a better solution; load-balanced servers would complicate the scheme, but would not be insurmountable. IMHO, content-filtering is not security. -- c0ncept Disclaimer: I'm an 'arm chair' supported of peacefire [http://www.peacefire.org/]
Chris and I recommended to the vendors that everything be translated to a canonical form before matching (32-bit unsigned ints in network byte order are tremendously unambiguous).
Current thread:
- SurfControl Bypass Vulnerability Witter, Franklin (Mar 21)
- Re: SurfControl Bypass Vulnerability skelly (Mar 22)
- Re: SurfControl Bypass Vulnerability Don Weber (Mar 22)
- <Possible follow-ups>
- Re: SurfControl Bypass Vulnerability Witter, Franklin (Mar 22)
- Re: SurfControl Bypass Vulnerability Chris St. Clair (Mar 22)
- Re: SurfControl Bypass Vulnerability Darren Reed (Mar 23)
- Re: SurfControl Bypass Vulnerability Paul Cardon (Mar 23)
- Re: SurfControl Bypass Vulnerability Dan Harkless (Mar 25)
- Re: SurfControl Bypass Vulnerability Ben Ford (Mar 26)
- Re: SurfControl Bypass Vulnerability Valdis Kletnieks (Mar 26)
- Re: SurfControl Bypass Vulnerability c0ncept (Mar 26)
- Re: SurfControl Bypass Vulnerability Ryan Russell (Mar 26)
- Re: SurfControl Bypass Vulnerability Darren Reed (Mar 23)