Bugtraq mailing list archives

Re: SurfControl Bypass Vulnerability

From: c0ncept <c0ncept () HUSHMAIL COM>
Date: Mon, 26 Mar 2001 09:54:01 -0800

        It seems to be that either the product itself is broken, or the underlying
library.
        IMHO, content filtering does not relate to security; I choose to post on
this thread because it's obvious that the products are broken.
        Disclaimer: I have not seen the source code for any content-filtering
software that has been brought up on this list (or any at all for that
matter).
        Two of the methods that have been suggested, converting an IP to it's
32-bit number, and using trailing 0s, could be indicitive of the same thing:
thep programs are not checking their input. 32-bit IP numbers and octets
with leading spaces are not valid URLs, per the specification.  One
possibility is that the IP goes through because the user input is blindly
passed to gethostbyname(). I suspect the leading 0s work because of blind
reliance on atoi() or some such function.
        In general, passing around user-supplied input strings without examining
them is Not A Good thing. It's entirely possible that all care is given to
stripping out any possible attack vector: buffers are controlled and format
strings stripped out, and what not. But, I'd assume that if a program who's
primary function is to parse URLs and make decisions based on them does not
even attempt to ascertain whether or not a string passed to it *is* a URL,
then they're probably lax on the rest of their code as well.
        Also, we can tell a great deal about the mechanics of these programs by the
way they work: If blocking by IPs ( which, as someone pointed out, isn't
necessarily a good idea), the actuall IP structure should be compared
against a 'bad' database, NOT a string representation that is then passed to
a function to return the final structure. Perhaps actually generating a
header (and looking at the IP:Host pair) and making decisions based on this
would be a better solution; load-balanced servers would complicate the
scheme, but would not be insurmountable.
        IMHO, content-filtering is not security.

        -- c0ncept

Disclaimer: I'm an 'arm chair' supported of peacefire
[http://www.peacefire.org/]

Chris and I recommended to the vendors that everything be translated to
a canonical form before matching (32-bit unsigned ints in network byte
order are tremendously unambiguous).

Current thread:

SurfControl Bypass Vulnerability Witter, Franklin (Mar 21)
- Re: SurfControl Bypass Vulnerability skelly (Mar 22)
- Re: SurfControl Bypass Vulnerability Don Weber (Mar 22)
- <Possible follow-ups>
- Re: SurfControl Bypass Vulnerability Witter, Franklin (Mar 22)
- Re: SurfControl Bypass Vulnerability Chris St. Clair (Mar 22)
  - Re: SurfControl Bypass Vulnerability Darren Reed (Mar 23)
    - Re: SurfControl Bypass Vulnerability Paul Cardon (Mar 23)
    - Re: SurfControl Bypass Vulnerability Dan Harkless (Mar 25)
    - Re: SurfControl Bypass Vulnerability Ben Ford (Mar 26)
    - Re: SurfControl Bypass Vulnerability Valdis Kletnieks (Mar 26)
    - Re: SurfControl Bypass Vulnerability c0ncept (Mar 26)
    - Re: SurfControl Bypass Vulnerability Ryan Russell (Mar 26)
  - Re: SurfControl Bypass Vulnerability Andrew Moran (Mar 23)
  - Re: SurfControl Bypass Vulnerability Riad S. Wahby (Mar 23)
  - Re: SurfControl Bypass Vulnerability Dag-Erling Smorgrav (Mar 23)
- Re: SurfControl Bypass Vulnerability King, John (Mar 23)
- Re: SurfControl Bypass Vulnerability ASMDood (Mar 23)