|
Vulnerability NetGap Affected SpearHead NetGap Description Following has been discovered by eDvice Security Services. SpearHead's NetGAP appliance physically disconnects a company's network from the Internet. The product consists of two separate computers, an Untrusted CPU and a Trusted CPU, that are never directly connected at any given time. NetGap includes a content checking engine. This engine supports the filtering of specified file types, while being downloaded over HTTP. For example, the security administrator can prevent internal users from downloading executable (.exe) files by using the content checking engine to filter exe files. Using Unicode encoding techniques, a user (or a malicious web site) can bypass NetGap's filtering engine. Web servers accept Unicode representation of characters in the URL by using a "%nn" notation. The NetGap™ URL filter does not interpret correctly URLs containing Unicode representation of characters. Consequently, the file http://www.target.com/evilfile.exe will go undetected by NetGap if represented as http://www.target.com/evilfile.ex%65 However, when this URL reaches the web server, it will be interpreted exactly the same as http://www.target.com/evilfile.exe and the file will be downloaded into the user's desktop. Solution '%' encoding is used for the encoding of any 'non-legal' characters in URL format strings. The bug is that netgap does not 'URL decode' the string before doing comparisons. '%' (URL) Encoding is *not* unicode encoding - unicode is a multibyte character set, which uses binary values outside the 32-127 range of printable ASCII. When unicode characters are used in URLs, they are usually/often expressed in 'utf-8' encoding, which uses a short sequence of binary values to encode a full unicode character. Many of the values used in utf-8 encoding of unicode are illegal in URLs without using 'URL encoding' (% escaping), but not all % escaped characters represent either utf-8 or unicode... This is often mixed up because a number of MS IIS vulnerabilities recently have been due to incorrect 'unicode' decoding and/or incorrect detection of utf-8 encoded unicode characters, some of which was due to ambiguitites in the checking/removing of URL encoding. However, many more web server bugs are related solely to the common mistake of simply not removing URL encoding before doing security checks, such as the one demonstrated in NetGAP. The problem was fixed in build 78 of the NetGAP software.