COMMAND

	
		Bypassing the Finjan SurfinGate URL filter
	
	

SYSTEMS AFFECTED

	
		Tested with Finjan SurfinGate 6.0x on Windows NT 4.0 and 2000
	
	

PROBLEM

	
		Marc Ruef of Computer,  Technik  und  Security  [http://www.computec.ch]
		reports, with the help of  Andrea  Covello  [http://www.covello.ch]  and
		Guerkan Senguen [http://www.linuks.mine.nu] :
		

		1. IP Tunnel

		

		Normally humans use domain- and hostnames instead of IP addresses.  Most
		users will add entries like "www.computec.ch" in the URL list of  Finjan
		SurfinGate to filter specific webservers.
		

		The main problem is, that the SurfinGate never  does  a  lookup  of  the
		contacted hostname. Now you can use IP addresses  instead  of  hostnames
		to reach the wanted ressource. A limitation of this bypassing  technique
		is, that it does not work with webservers, that use virual hosts.
		

		This problem is very heavy, if you  use  the  SurfinGate  as  a  plugin,
		where the internal processes don't work with  hostnames  (I  think  that
		Checkpoint Firewall-1 does it that way). Try to  apply  a  rule  to  the
		proxy-mechanism for using always hostnames instead of IP addresses.
		

		A possible workaround is to add additionally to the hostnames  the  used
		IP addresses. Attention if the ressource uses  virual  hosting  or  have
		multiple ip addresses. This solution slows down  the  whole  SurfinGate,
		because there is a new filtering line.
		

		2. Dot/FQDN Tunnel

		

		In  the  Internet  you  have  to   use   domain-   or   hostnames   like
		"www.computec.ch" to  reach  some  webservers.  Finjan  SurfinGate  does
		identify the end of a domainname by a slash ("/").
		

		If  you  add  a  simple  dot  at  the  end  of  the   domainname   (e.g.
		"www.computec.ch."),  the  filtering  mechanism  could  not  catch   the
		request. The same problem is described for SuperScout in
		

		http://www.securiteam.com/securityreviews/5SP010U0KQ.html . 

		

		Additionally it is possible to encode the dot like "%2E".
		

		A possible workaround is to add  additionally  to  the  normal  hostname
		(e.g. "www.computec.ch") the FQDN (fully  qualified  domain  name)  like
		"www.computec.ch.". This slows down the whole SurfinGate  also,  because
		there is a new filtering line.
		

		A  tool  for  automated  exploitation  and  a  german  analysis  of  the
		vulnerability is available at
		

		http://www.computec.ch/software/firewalling/url_filtering-tunnel/

		

		I wrote one and a half week ago an email to  info@finjan.com  and  asked
		for some patches or workarounds. It seems that they droped my email  and
		I don't even get a reply. I think that they will not publish a patch.
	
	

SOLUTION

	
		Finjan support replies :
		

		--snipp--
		

		Finjan positions the URL List  as  a  content  management  feature  that
		gives  system  administrators  the  ability  to  make  security   policy
		exceptions in order to allow trusted content. However, the URL List  was
		not designed to be a strong black list, and that is why  the  help  file
		currently does not recommend  it  for  this  purpose.  These  are  known
		issues. Our proactive products are based on patented  technologies,  and
		the security doesn't depend on managed lists. Having said that, we  WILL
		address the matter in an upcoming release as content  management  issue.
		In fact, in April of this year, Finjan announced a  licensing  agreement
		with SurfControl, the URL filtering company. In future versions of  SFG,
		the SurfControl URL categorization component  will  be  integrated  with
		SFG for security purposes. This component will not allow  this  type  of
		exploit.