[29190] in bugtraq
Re: 3Com SuperStack 3 Firewall Content Filter Exploitable Via Telnet
daemon@ATHENA.MIT.EDU (Niels Bakker)
Wed Mar 5 16:50:06 2003
Date: Wed, 5 Mar 2003 21:44:11 +0100
From: Niels Bakker <niels=bugtraq@bakker.net>
To: bugtraq@securityfocus.com
Message-ID: <20030305204411.GE95139@trance.org>
Mail-Followup-To: Niels Bakker <niels=bugtraq@bakker.net>,
bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030304233917.20187.qmail@www.securityfocus.com>
* bit_logic@s-mail.com [Wed 05 Mar 2003, 21:35 CET]:
[..]
> C:\>telnet www.blockedsite.com 80
>
> GET / HTTP/1.1
> Host: www.blockedsite.com
>
> Given the nature of Telnet, the request is sent to the server one
> character at a time; obviously, the filter cannot examine packets with a
> single character of valid data, so each packet makes it through with no
Actually, in these situations, telnet works line-based. That's also why
backspace works (modulo matching terminal emulator and stty settings).
> problem. The blocked server waits until it receives all packets, then
> pieces them together and responds to the request. Incoming traffic isn't
> monitored, so the user is easily able to receive the source code of the
> page he requested via telnet.
Does a filtering product exist that has not had this flaw in the past?
> Unfortunately, I do not have the necessary equipment at my disposal to
> further test the exploit, although I know for a fact that it works, at
> least on firewalls with basic filter configurations. I also have yet to
> come up with a successful work-around for this bypass, as it occurs at a
> very low level. If anyone has any ideas, I'm all ears. Thanks.
Force all HTTP traffic via a proxy that sends out its own HTTP requests
in one packet; don't try to solve social problems with technical
solutions; and above all, realise that filtering in this way is utterly
useless censorship.
-- Niels.
--
subvertise me
