[15795] in bugtraq
Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass
daemon@ATHENA.MIT.EDU (Coward, Anonymous)
Mon Jul 17 13:40:39 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <0625691C.007C327E.00@uprrsmtp2.notes.up.com>
Date: Fri, 14 Jul 2000 14:06:17 -0600
Reply-To: UPRR_DSA@UP.COM
From: "Coward, Anonymous" <UPRR_DSA@UP.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
to make a long story short, obscuring the domain name does not circumvent
bordermanager.
bordermanager will either not resolve the address and fail, or it will figure
out the address and deny/allow based on its rules
for bed time reading, read the remaining post for more detail...
<paraphrase source=http://www.nwi.net/~pchelp/obscure.htm>
URLs can be obscured at least three ways:
1. Meaningless or deceptive text can be added after "http://" and before an
"@" symbol.
2. The domain name can be expressed as an IP address in:
a. dotted-decimal
b. dword
c. octal
d. hexadecimal format
e. variants
3. Characters appearing after the IP address can also be expressed as
hexadecimal (base 16) numbers.
</paraphrase>
as results vary from browser to browser, i tested using both ie 5.0 and ns 4.08.
for completeness, i tested urls as two different users: privileged and
unprivileged.
in addition, as previous posts have covered #3 well enough, i'll not bother with
it here.
*** results for privileged, trusted, can-go-anywhere user:
1.) blah@www.totalsports.net
ns: DNS host name resolution failure
ie: loaded the page
2.)
a. 206.132.32.187 (duh!)
ns: loaded page
ie: loaded page
add 256 to any/all segment in ip address - tried 462.132.32.187
ns: invalid DNS host ip address
ie: invalid DNS host ip address
b. 3464765627
ns: invalid DNS host ip address
ie: invalid DNS host ip address
c. 0316.0204.040.0273
ns: loaded page
ie: loaded page
d. 0xcd8420bb and 0xcd.0x84.0x20.0xbb
ns: DNS Host name resolution failed
ie: DNS Host name resolution failed
e. combining failed formats with successful formats failed
*** results for unprivileged joe user when www.totalsports.net is banned:
NOTE: DNS failures from above results have been omitted for brevity
1.) blah@www.totalsports.net
ie: denied access by bordermanager
2.)
a. 206.132.32.187
ns: denied access by bordermanager
ie: denied access by bordermanager
c. 0316.0204.040.0273
ns: denied access by bordermanager
ie: denied access by bordermanager
el fin
g. johnson - udsa@up.com
