| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <445F67FA.9080505@vsecurity.com>
Date: Mon May 8 18:01:40 2006
From: advisories at vsecurity.com (VSR Advisories)
Subject: VSR Advisory: WebSense content filter bypass when
deployed in conjunction with Cisco filtering devices
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Virtual Security Research, LLC.
http://www.vsecurity.com/
Security Advisory
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: WebSense content filter bypass when deployed in conjunction
with Cisco filtering devices
Release Date: 2006-05-08
Application: Websense in Conjunction with Cisco PIX
Version: Websense 5.5.2
Cisco PIX OS / ASA < 7.0.4.12
Cisco PIX OS < 6.3.5(112)
FWSM 2.3.x
FWSM 3.x
(other versions untested)
Severity: Low
Author: George D. Gal <ggal_at_vsecurity.com>
Vendor Status: Vendor Notified, Fix Available
CVE Candidate: CVE-2006-0515
Reference:
http://www.vsecurity.com/bulletins/advisories/2006/cisco-websense-bypass.txt
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Description:
>From the WebSense website[1]:
"Websense Enterprise, the industry-leading web filtering solution,
improves employee productivity, reduces legal liability, and optimizes
the use of IT resources. Websense Enterprise integrates seamlessly
with leading network infrastructure products to offer unequaled
flexibility and control."
Vulnerability Overview:
On August 9th, 2005 VSR has identified the ability to bypass the
Websense URL
filtering capabilities when used in conjunction with the Cisco PIX for
web content filtering. Shortly thereafter another security researcher
[sledge.hammer(a+t)sinhack.net] had published[2] a proof-of-concept for
evading the URL filtering performed by Websense claiming that Websense has
failed to address the issue. However, the vulnerability has been
verified by
Cisco as a problem which relies within its handling of filtered requests.
Vulnerability Details:
The vulnerability exists primarily due to the manner in which Cisco PIX
and other Cisco filtering devices handle split packets in conjunction with
Websense Enterprise integration.
For each HTTP request the Cisco PIX or other Cisco device forwards
individual
packets to Websense to determine whether or not the request should be
permitted.
However, when splitting the HTTP request into two or more packets on the
HTTP
method it is possible to circumvent the filtering mechanism.
Additionally, requests using this fragmented approach do not appear to be
logged within Websense indicating that the request is never sent to
Websense
for policy inspection.
The simplest form required to exploit this vulnerability is to fragment the
first character of the HTTP request, followed by a single TCP packet for
subsequent data (e.g. setting the PSH flag on the individual packets).
Virtual Security Research has created a utility[3] to demonstrate the
ability
to bypass Websense filtering for the affected versions of Cisco filtering
devices enumerated in this advisory header. You may download and run this
utility at your own risk from:
http://www.vsecurity.com/tools/WebsenseBypassProxy.java
The following Snort output demonstrates the fragmented request capable
of bypassing Websense:
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
11/04-10:06:36.260991 0:B:DB:DE:19:87 -> 0:0:C:7:AC:5 type:0x800 len:0x43
10.254.5.113:58034 -> 82.165.25.125:80 TCP TTL:64 TOS:0x0 ID:1534
IpLen:20 DgmLen:53 DF
***AP*** Seq: 0xF5B80F51 Ack: 0x21D6E47 Win: 0x8040 TcpLen: 32
TCP Options (3) => NOP NOP TS: 148674 160066961
47 G
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/04-10:06:36.359288 0:30:7B:93:19:4C -> 0:B:DB:DE:19:87 type:0x800
len:0x42
82.165.25.125:80 -> 10.254.5.113:58034 TCP TTL:49 TOS:0x0 ID:36972
IpLen:20 DgmLen:52 DF
***A**** Seq: 0x21D6E47 Ack: 0xF5B80F52 Win: 0x16A0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 160066973 148674
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/04-10:06:36.359387 0:B:DB:DE:19:87 -> 0:0:C:7:AC:5 type:0x800 len:0x185
10.254.5.113:58034 -> 82.165.25.125:80 TCP TTL:64 TOS:0x0 ID:1535
IpLen:20 DgmLen:375 DF
***AP*** Seq: 0xF5B80F52 Ack: 0x21D6E47 Win: 0x8040 TcpLen: 32
TCP Options (3) => NOP NOP TS: 148683 160066973
45 54 20 2F 66 61 76 69 63 6F 6E 2E 69 63 6F 20 ET /favicon.ico
48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 HTTP/1.1..Host:
77 77 77 2E 70 68 72 61 63 6B 2E 6F 72 67 0D 0A www.phrack.org..
55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Agent: Mozi
6C 6C 61 2F 35 2E 30 20 28 58 31 31 3B 20 55 3B lla/5.0 (X11; U;
20 46 72 65 65 42 53 44 20 69 33 38 36 3B 20 65 FreeBSD i386; e
6E 2D 55 53 3B 20 72 76 3A 31 2E 37 2E 39 29 20 n-US; rv:1.7.9)
47 65 63 6B 6F 2F 32 30 30 35 30 37 31 38 20 46 Gecko/20050718 F
69 72 65 66 6F 78 2F 31 2E 30 2E 35 0D 0A 41 63 irefox/1.0.5..Ac
63 65 70 74 3A 20 69 6D 61 67 65 2F 70 6E 67 2C cept: image/png,
2A 2F 2A 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 70 */*;q=0.5..Accep
74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 t-Language: en-u
73 2C 65 6E 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 s,en;q=0.5..Acce
70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 pt-Encoding: gzi
70 2C 64 65 66 6C 61 74 65 0D 0A 41 63 63 65 70 p,deflate..Accep
74 2D 43 68 61 72 73 65 74 3A 20 49 53 4F 2D 38 t-Charset: ISO-8
38 35 39 2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 859-1,utf-8;q=0.
37 2C 2A 3B 71 3D 30 2E 37 0D 0A 4B 65 65 70 2D 7,*;q=0.7..Keep-
41 6C 69 76 65 3A 20 63 6C 6F 73 65 0D 0A 43 6F Alive: close..Co
6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D nnection: close.
0A 0D 0A ...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/04-10:06:36.458004 0:30:7B:93:19:4C -> 0:B:DB:DE:19:87 type:0x800
len:0x42
82.165.25.125:80 -> 10.254.5.113:58034 TCP TTL:49 TOS:0x0 ID:55157
IpLen:20 DgmLen:52 DF
***A**** Seq: 0x21D6E47 Ack: 0xF5B81095 Win: 0x1920 TcpLen: 32
TCP Options (3) => NOP NOP TS: 160066982 148683
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Vendor Response:
WebSense and Cisco were first notified on 2005-11-04. While no responses or
acknowledgments were received from Websense the following time line
outlines the responses from Cisco regarding this issue:
2005-11-04 - Acknowledgment of security notification
2005-12-02 - Subsequent follow-up and response from Cisco to determine
cause of observed behavior
2006-01-04 - Subsequent follow-up and response from Cisco acknowledging
issue is being addressed by development teams
2006-01-30 - Estimated release of PIX code for 7.0.4 release is 2/20/2006
2006-02-17 - Notified by Cisco that fix will not make estimated
delivery date
due to regression issues, new release data of 3/20/2006 provided
2006-03-06 - Status update from vendor on new date, targets on track
for 7.0
PIX OS release
2006-03-06 - Status update from vendor on new date, targets on track
for 7.0
PIX OS release
2006-03-13 - Confirmation from Cisco on 3/20 code release
2006-03-17 - Communications from Cisco notifying VSR of other potential
products
affected (FWSM).
2006-03-24 - Communications received from Cisco acknowledging communication
with FWSM team
2006-04-04 - Communication received from Cisco acknowledging FWSM
vulnerability
2006-04-07 - Communications from Cisco confirming fixes for FWSM 2.3.x
and 3.x
PSIRT awaiting release date for code
2006-04-14 - Communications from Cisco providing coordination details
with FWSM
team
2006-04-18 - Communications from Cisco providing build details
incorporating
fixes for FWSM products
2006-04-26 - Communications from Cisco providing details and update on
FWSM
testing and release availability; coordination for advisory release
2006-05-04 - Communications from Cisco for advisory release coordination
Recommendation:
Cisco PIX/ASA and FWSM customers should apply the latest upgrades from
vendor:
PIX OS 7.0.x upgrade is:
7.0.4.12
available at:
http://www.cisco.com/cgi-bin/tablebuild.pl/pix-interim
http://www.cisco.com/cgi-bin/tablebuild.pl/asa-interim
PIX OS 6.3 upgrade is:
6.3.5(112)
available by customer request via the Cisco TAC
FWSM 2.3.x upgrade is:
2.3(4)
available at:
http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm
FWSM 3.x upgrade is:
3.1(1.7)
available by customer request via the Cisco TAC
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CVE-2006-0515
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
References:
1. WebSense Enterprise
http://www.websense.com/global/en/ProductsServices/WebsenseEnterprise/
2. Sinhack.net URL Filtering Evasion
http://sinhack.net/URLFilteringEvasion/
3. Proof-of-Concept WebSense Bypass utility
http://www.vsecurity.com/tools/WebsenseBypassProxy.java
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Vulnerability Disclosure Policy:
http://www.vsecurity.com/disclosurepolicy.html
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Copyright 2006 Virtual Security Research, LLC. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFEX2f6TY6Rj3GeBOoRAsb0AJwMIEQImJuI0iGFWt5eb+6J4atlywCePE2B
inSG0jegPpIJgHrF8t32dbA=
=jN2B
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists