Corsaire Security Advisory - Symantec Enterprise Firewall (SEF) H TTP URL pattern evasion issue

[Martin O'Neal <bugtraq () corsaire com>]

-- Corsaire Security Advisory --

Title: Symantec Enterprise Firewall (SEF) HTTP URL pattern evasion issue
Date: 24.02.03
Application: Symantec Enterprise Firewall (SEF) 7.0
Environment: Windows NT 4.0, Windows 2000, 
Author: Martin O'Neal [martin.oneal () corsaire com]
Audience: General Distribution


-- Scope --

The aim of this document is to clearly define some issues related to a 
URL pattern evasion issue in the HTTP proxy of the Symantec Enterprise 
Firewall (SEF) product, as supplied by Symantec Inc. [1] 


-- History --

Vendor notified: 24.02.03 
Document released: 26.03.03


-- Overview --

The SEF firewall product uses an application proxy strategy to provide 
enhanced security features for a variety of common protocols. For the
HTTP proxy, part of this additional functionality allows the firewall to 
block URLs based on predefined regular expression patterns.

However, by using URL encoding techniques this pattern matching 
functionality can be evaded.


-- Analysis --

The HTTP pattern matching functionality works by analysing the HTTP URL 
format and comparing this against a database of predefined signatures.

When an HTTP connection is processed via a rule that is configured to 
use the pattern matching functionality, it is checked against the 
signature database and if a match is found, the request is blocked with 
a 403 Forbidden error.

However, if one of the standard URL encoding techniques (e.g. escaped 
encoding, Unicode, UTF-8) is used, then the pattern matching will fail 
to trigger and the attack will succeed.


-- Proof of concept --

Step 1: On the firewall host create a rule that allows HTTP traffic and 
under the Advanced Services tab include the http.urlpattern setting.

Step 2: Using the Editor open the httpurlpattern.cf file and add in a 
new line consisting of only the word "hamster". Save and reconfigure the 
firewall.

Step 3: To reproduce this issue, open a standard web browser and connect 
to a site that will be included within the scope of the rule created in 
the first step (i.e. http://www.gerbil.com). This should result in a 
successful connection. 

Step 4: If the target pattern created in step 2 is appended to the same 
URL (i.e. http://www.gerbil.com/hamster) then the connection should fail 
with a 403 Forbidden error. 

Step 5: If a form of URL encoding is now used on the URL from step 4, 
(i.e. http://www.gerbil.com/h%69mster) then this will pass through the 
firewall successfully.


-- Recommendations --

As an interim measure, the documentation that is supplied with the 
firewall should be revised to state explicitly that the pattern matching 
functionality does not support any form of underlying HTTP encoding 
schemes.

Ideally, as a longer term solution the HTTP proxy should be enhanced so 
that encoding schemes are resolved and applied prior to performing the 
pattern matching function.

Symantec have provided a knowledge base article for customers who wish 
to restrict all escaped character sequences in protected URLS, using a 
regular expression pattern [2].


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0106 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


-- References --

[1] http://enterprisesecurity.symantec.com/products/products.cfm?Pro
    ductID=47&EID=0
[2] http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/20030325
    07434754


-- Revision --

a. Initial release.
b. Minor revisions.
c. Minor revisions.
d. Revised to include CVE reference.
e. Revised to include Symantec recommendation.


-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.


Copyright 2003 Corsaire Limited. All rights reserved.