Bugtraq mailing list archives
Re: McAfee Web Gateway URL Filtering Bypass
From: Vikram Dhillon <dhillonv10 () gmail com>
Date: Sat, 21 Apr 2012 08:40:09 -0400
Hello, We might be able to fix this by simply doing a ping to the website before connecting, so that the IP of the host specified matches the connect field. In any case, the consistency of the host and connect is indeed a big design flaw. - Vikram On Mon, Apr 16, 2012 at 6:12 PM, Gabriel Menezes Nunes <gab.mnunes () gmail com> wrote:
# Exploit Title: McAfee Web Gateway URL Filtering Bypass # Date: 16/04/2012 # Author: Gabriel Menezes Nunes # Version: McAfee Web Gateway # Tested on: McAfee Web Gateway 7.0 # CVE: CVE-2012-2212 I found a vulnerability in McAfee Web Gateway 7 that allows access to filtered sites. The appliance believes in the Host field of HTTP Header using CONNECT method. Example CONNECT 66.220.147.44:443 HTTP/1.1 Host: www.facebook.com It is blocked. CONNECT 66.220.147.44:443 HTTP/1.1 (without host field) It is blocked. But: CONNECT 66.220.147.44:443 HTTP/1.1 Host: www.uol.com.br (allowed url) The connection works. From here, I can send SSL traffic without a problem. This way, I can access any blocked site that allows SSL connections. Others test that I did is convert GET methods in CONNECT methods. GET http://www.facebook.com HTTP/1.1 Host: www.facebook.com in CONNECT 66.220.147.44:80 HTTP/1.1 Host: www.uol.com.br It will connect. and after it is possible to send the GET packets. It will work! This vulnerability is different from the CONNECT Tunnel method. The flaw is on the Host field processing. The appliance believes on this field. So, any sites can be accessed. URL filtering in this device/software is irrelevant and useless. One of the most important (if not the most important) feature of this kind of device is to protect the network in accessing specific URLs. So, this flaw is very dangerous, and it can be implemented even in malwares, bypassing any protection. I developed a python script that acts like a proxy and it uses this flaw to access any site. This tool is just a proof of concept.
-- Regards, Vikram Dhillon ~~~ To perceive is to suffer.
Current thread:
- McAfee Web Gateway URL Filtering Bypass Gabriel Menezes Nunes (Apr 18)
- Re: McAfee Web Gateway URL Filtering Bypass Vikram Dhillon (Apr 23)
- RE: McAfee Web Gateway URL Filtering Bypass Jim Harrison (Apr 24)
- Re: McAfee Web Gateway URL Filtering Bypass Vikram Dhillon (Apr 23)