lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20030305204411.GE95139@trance.org>
Date: Wed, 5 Mar 2003 21:44:11 +0100
From: Niels Bakker <niels=bugtraq@...ker.net>
To: bugtraq@...urityfocus.com
Subject: Re: 3Com SuperStack 3 Firewall Content Filter Exploitable Via Telnet


* bit_logic@...ail.com [Wed 05 Mar 2003, 21:35 CET]:
[..]
> C:\>telnet www.blockedsite.com 80
> 
> GET / HTTP/1.1
> Host: www.blockedsite.com
> 
> Given the nature of Telnet, the request is sent to the server one 
> character at a time; obviously, the filter cannot examine packets with a 
> single character of valid data, so each packet makes it through with no 

Actually, in these situations, telnet works line-based.  That's also why
backspace works (modulo matching terminal emulator and stty settings).


> problem.  The blocked server waits until it receives all packets, then 
> pieces them together and responds to the request.  Incoming traffic isn't 
> monitored, so the user is easily able to receive the source code of the 
> page he requested via telnet.

Does a filtering product exist that has not had this flaw in the past?


> Unfortunately, I do not have the necessary equipment at my disposal to 
> further test the exploit, although I know for a fact that it works, at 
> least on firewalls with basic filter configurations.  I also have yet to 
> come up with a successful work-around for this bypass, as it occurs at a 
> very low level.  If anyone has any ideas, I'm all ears.  Thanks.

Force all HTTP traffic via a proxy that sends out its own HTTP requests
in one packet; don't try to solve social problems with technical
solutions; and above all, realise that filtering in this way is utterly
useless censorship.


	-- Niels.

-- 
subvertise me

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ