| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 5 Mar 2003 21:44:11 +0100 From: Niels Bakker <niels=bugtraq@...ker.net> To: bugtraq@...urityfocus.com Subject: Re: 3Com SuperStack 3 Firewall Content Filter Exploitable Via Telnet * bit_logic@...ail.com [Wed 05 Mar 2003, 21:35 CET]: [..] > C:\>telnet www.blockedsite.com 80 > > GET / HTTP/1.1 > Host: www.blockedsite.com > > Given the nature of Telnet, the request is sent to the server one > character at a time; obviously, the filter cannot examine packets with a > single character of valid data, so each packet makes it through with no Actually, in these situations, telnet works line-based. That's also why backspace works (modulo matching terminal emulator and stty settings). > problem. The blocked server waits until it receives all packets, then > pieces them together and responds to the request. Incoming traffic isn't > monitored, so the user is easily able to receive the source code of the > page he requested via telnet. Does a filtering product exist that has not had this flaw in the past? > Unfortunately, I do not have the necessary equipment at my disposal to > further test the exploit, although I know for a fact that it works, at > least on firewalls with basic filter configurations. I also have yet to > come up with a successful work-around for this bypass, as it occurs at a > very low level. If anyone has any ideas, I'm all ears. Thanks. Force all HTTP traffic via a proxy that sends out its own HTTP requests in one packet; don't try to solve social problems with technical solutions; and above all, realise that filtering in this way is utterly useless censorship. -- Niels. -- subvertise me
Powered by blists - more mailing lists