Re: SurfControl Bypass Vulnerability

[Andrew Moran <amoran () NOMAD NET AU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain; charset=us-ascii


> As for an interim fix, it depends on the software and how flexible
> it is. Some will let you block certain regex's, some won't. If it
> does support regex's, the actual regex will depend on the different
> combinations you can use to represent the IP octets. For example,
> a combination of hex, octal, and regular decimal:
> 0xc0.168.000000001.1
>
> Coming up with an effective regex to match that might be tough.
>
> -chris
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com


I'm using Squid 2.3.STABLE3 for URL filtering and this workaround doesn't seem
to work.
*I think* Squid treats it as a hostname (because it isn't in the
xxx.xxx.xxx.xxx format?) and thus cannot resolve it, producing a DNS error.

I tried www.sex.com (209.81.7.21), which is blocked, and Squid returns:

- -----------------
While trying to retrieve the URL: http://00000000321.0000000121.000000007.00000
00025/

The following error was encountered:

       Unable to determine IP address from host name for
00000000321.0000000121.000000007.0000000025

The dnsserver returned:

       Name Error: The domain name does not exist.
- ------------------

This is access.log:
985316877.011      4 172.28.5.237 TCP_MISS/503 1269 GET
http://00000000321.0000000121.000000007.0000000025/ -
DIRECT/00000000321.0000000121.000000007.0000000025 -

And yes, the octal string works with nslookup
        -Andrew.



- --
Andrew Moran
Internetworking/UNIX Systems Engineer
Nomad Telecommunications
mailto:amoran () nomad net au
Ph: +61 3 9520 7825
Fx: +61 3 9520 7851


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Exmh version 2.1.1 10/15/1999 (debian)

iD8DBQE6ur3rD62KcsHh/L0RAk/iAKCOYejhuWisLW32tJam4PAdg7PKiwCgl0nl
uhMlO+1dMOYsLpsrgquD0mE=
=3dMa
-----END PGP SIGNATURE-----