COMMAND

	Symantec Enterprise Firewall (SEF) HTTP URL pattern evasion issue

SYSTEMS AFFECTED

	Symantec Enterprise Firewall (SEF) 7.0

PROBLEM

	
	-- Corsaire Security Advisory --
	
	Title: Symantec Enterprise Firewall (SEF) HTTP URL pattern evasion issue
	Date: 24.02.03
	Application: Symantec Enterprise Firewall (SEF) 7.0
	Environment: Windows NT 4.0, Windows 2000, 
	Author: Martin O'Neal [martin.oneal@corsaire.com]
	Audience: General Distribution
	
	
	-- Scope --
	
	The aim of this document is to clearly define some issues related to a 
	URL pattern evasion issue in the HTTP proxy of the Symantec Enterprise 
	Firewall (SEF) product, as supplied by Symantec Inc. [1] 
	
	
	-- History --
	
	Vendor notified: 24.02.03 
	Document released: 26.03.03
	
	
	-- Overview --
	
	The SEF firewall product uses an application proxy strategy  to  provide
	enhanced security features for a variety of common  protocols.  For  the
	HTTP proxy, part of this additional functionality  allows  the  firewall
	to block URLs based on predefined regular expression patterns.
	
	However,  by  using  URL  encoding  techniques  this  pattern   matching
	functionality can be evaded.
	
	
	-- Analysis --
	
	The HTTP pattern matching functionality works by analysing the HTTP  URL
	format and comparing this against a database of predefined signatures.
	
	When an HTTP connection is processed via a rule that  is  configured  to
	use the pattern  matching  functionality,  it  is  checked  against  the
	signature database and if a match is found, the request is blocked  with
	a 403 Forbidden error.
	
	However, if one of the standard URL encoding  techniques  (e.g.  escaped
	encoding, Unicode, UTF-8) is used, then the pattern matching  will  fail
	to trigger and the attack will succeed.
	
	
	-- Proof of concept --
	
	Step 1: On the firewall host create a rule that allows HTTP traffic  and
	under the Advanced Services tab include the http.urlpattern setting.
	
	Step 2: Using the Editor open the httpurlpattern.cf file and  add  in  a
	new line consisting of only the word  "hamster".  Save  and  reconfigure
	the firewall.
	
	Step 3: To reproduce  this  issue,  open  a  standard  web  browser  and
	connect to a site that will be included within the  scope  of  the  rule
	created in the first  step  (i.e.  http://www.gerbil.com).  This  should
	result in a successful connection.
	
	Step 4: If the target pattern created in step 2 is appended to the  same
	URL (i.e.  http://www.gerbil.com/hamster)  then  the  connection  should
	fail with a 403 Forbidden error.
	
	Step 5: If a form of URL encoding is now used on the URL  from  step  4,
	(i.e. http://www.gerbil.com/h%69mster) then this will pass  through  the
	firewall successfully.

SOLUTION

	-- Recommendations --
	
	As an interim measure, the  documentation  that  is  supplied  with  the
	firewall  should  be  revised  to  state  explicitly  that  the  pattern
	matching functionality does not support  any  form  of  underlying  HTTP
	encoding schemes.
	
	Ideally, as a longer term solution the HTTP proxy should be enhanced  so
	that encoding schemes are resolved and applied prior to  performing  the
	pattern matching function.
	
	Symantec have provided a knowledge base article for customers  who  wish
	to restrict all escaped character sequences in protected URLS,  using  a
	regular expression pattern [2].
	
	
	-- CVE --
	
	The Common Vulnerabilities and Exposures (CVE) project has assigned  the
	name CAN-2003-0106 to this issue. This is a candidate for  inclusion  in
	the  CVE  list  (http://cve.mitre.org),  which  standardizes  names  for
	security problems.
	
	
	-- References --
	
	[1] http://enterprisesecurity.symantec.com/products/products.cfm?Pro
	    ductID=47&EID=0
	[2] http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/20030325
	    07434754
	
	
	-- Revision --
	
	a. Initial release. b. Minor revisions. c. Minor revisions.  d.  Revised
	to   include   CVE   reference.   e.   Revised   to   include   Symantec
	recommendation.
	
	
	-- Distribution --
	
	This security advisory may  be  freely  distributed,  provided  that  it
	remains unaltered and in its original form.
	
	
	-- Disclaimer --
	
	The information contained within this advisory is supplied "as-is"  with
	no warranties or guarantees of fitness of  use  or  otherwise.  Corsaire
	accepts no responsibility for any damage caused by the use or misuse  of
	this information.
	
	
	Copyright 2003 Corsaire Limited. All rights reserved.