The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


3Com SuperStack 3 Firewall Content Filter Exploitable Via Telnet


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: 4 Mar 2003 23:39:17 -0000
From: [email protected]
To: [email protected]
Subject: 3Com SuperStack 3 Firewall Content Filter Exploitable Via Telnet



The following exploit presumably applies to all versions of the 3COM web 

content filtering software, and possibly web filtering devices of other 

makers.



Many businesses, schools, libraries, and other public places providing 

Internet access to customers implement web content filters to minimalize 

access to pornography, illegal software, racist literature, and so forth.  

A local school district, for example, uses the 3COM SuperStack 3 

firewall's filtering ability to weed out access to restricted websites.  

When a user attempts to access a banned website, the filter appears to 

check the HTTP request against a list of restricted sites and phrases.  If 

a match is found, the user is returned a notification that the requested 

site has been blocked.



The weakness exploited by this vulnerability is that the 3COM filter 

apparently does not reassemble fragmented packets before checking a 

request against its filter list.  This can be demonstrated in the 

following example:



A user on the LAN being filtered wishes to view a blocked website.  We'll 

call it www.blockedsite.com (original, eh?).  He opens his browser and 

enters the address.  Obviously, he is greeted with the 3COM "blocked site" 

page.



Possessing excessive ambition today, our user decides to find a way around 

the filter.  After a short series of tests, he finds that he can connect 

to the blocked site by telneting to port 80 of its domain or IP, and 

manually craft his own HTTP request header:



C:\>telnet www.blockedsite.com 80



GET / HTTP/1.1

Host: www.blockedsite.com



Given the nature of Telnet, the request is sent to the server one 

character at a time; obviously, the filter cannot examine packets with a 

single character of valid data, so each packet makes it through with no 

problem.  The blocked server waits until it receives all packets, then 

pieces them together and responds to the request.  Incoming traffic isn't 

monitored, so the user is easily able to receive the source code of the 

page he requested via telnet.



Taking this trivial exploit a step further, an experienced hacker could 

easily write a script or application to automate this entire process, 

parsing the source for images and other embedded content where necessary.  

This would result in a local copy of the requested site right on the 

user's hard disk.  In theory, one would only need to break apart key areas 

of the HTTP request packet in order to fool the filter, rather than 

sending every character individually.



Unfortunately, I do not have the necessary equipment at my disposal to 

further test the exploit, although I know for a fact that it works, at 

least on firewalls with basic filter configurations.  I also have yet to 

come up with a successful work-around for this bypass, as it occurs at a 

very low level.  If anyone has any ideas, I'm all ears.  Thanks.



- Bit_Logic

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру