lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAFm=iwKtV8dqJeNpxzPGvddUc9eGF7ARQPKSr-cCN4U+6ZHZ2Q@mail.gmail.com>
Date: Mon, 16 Apr 2012 19:12:14 -0300
From: Gabriel Menezes Nunes <gab.mnunes@...il.com>
To: bugtraq <bugtraq@...urityfocus.com>
Subject: McAfee Web Gateway URL Filtering Bypass

# Exploit Title: McAfee Web Gateway URL Filtering Bypass
# Date: 16/04/2012
# Author: Gabriel Menezes Nunes
# Version: McAfee Web Gateway
# Tested on: McAfee Web Gateway 7.0
# CVE: CVE-2012-2212


I found a vulnerability in McAfee Web Gateway 7 that allows access to
filtered sites.
The appliance believes in the Host field of HTTP Header using CONNECT method.
Example

CONNECT 66.220.147.44:443 HTTP/1.1
Host: www.facebook.com


It is blocked.

CONNECT 66.220.147.44:443 HTTP/1.1 (without host field)

It is blocked.

But:

CONNECT 66.220.147.44:443 HTTP/1.1
Host: www.uol.com.br (allowed url)

The connection works.

>From here, I can send SSL traffic without a problem. This way, I can
access any blocked site that allows SSL connections.
Others test that I did is convert GET methods in CONNECT methods.

GET http://www.facebook.com HTTP/1.1
Host: www.facebook.com

in

CONNECT 66.220.147.44:80 HTTP/1.1
Host: www.uol.com.br

It will connect.

and after it is possible to send the GET packets. It will work!

This vulnerability is different from the CONNECT Tunnel method. The
flaw is on the Host field processing. The appliance believes on this
field.

So, any sites can be accessed. URL filtering in this device/software
is irrelevant and useless.
One of the most important (if not the most important) feature of this
kind of device is to protect the network in accessing specific URLs.
So, this flaw is very dangerous, and it can be implemented even in
malwares, bypassing any protection.
I developed a python script that acts like a proxy and it uses this
flaw to access any site.
This tool is just a proof of concept.

View attachment "proxy_bypass.py" of type "text/x-python" (3571 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ