Marc, Your issues have been escalated to me for resolution. I apologize for any delay; it is always our intention to respond immediately to any customer or product-related issue. Apologies aside, I would like to address the issues you brought up with regard to the Finjan SurfinGate URL List feature. SurfinGate’s help file makes the following statement regarding the intended usage of the URL List: "The URL filtering feature is intended for use as a white list solution, and allows the entry of active content from trusted sites that may contain code that otherwise violates the organization's security policy. It can also be used to block known hostile sites, but from a security point of view, the URL filter has a limited assurance level for actual code blocking. It is not recommended to trust this list as a strong black list." Finjan positions the URL List as a content management feature that gives system administrators the ability to make security policy exceptions in order to allow trusted content. However, the URL List was not designed to be a strong black list, and that is why the help file currently does not recommend it for this purpose. These are known issues. Our proactive products are based on patented technologies, and the security doesn't depend on managed lists. Having said that, we WILL address the matter in an upcoming release as content management issue. In fact, in April of this year, Finjan announced a licensing agreement with SurfControl, the URL filtering company. In future versions of SFG, the SurfControl URL categorization component will be integrated with SFG for security purposes. This component will not allow this type of exploit. Thank you for your interest in Finjan Software and the SurfinGate family of products. It is our mission to provide the most robust, proactive content security solutions available in the market. I also thank you in advance for your patience. For any future issues, please address them directly to mcrc@finjan.com or support@finjan.com as the info@finjan.com mailbox is more of a general marketing communication mailbox. Ken, Thank you for your posting. Regards, Menashe Eliezer Manager, Malicious Code Research Center Finjan Software http://www.finjan.com/mcrc Prevention is the best cure! -- -----Original Message----- From: Ken Fischer [mailto:kenf@users.junebug.org] Sent: Thursday, September 05, 2002 12:01 AM To: Marc Ruef; mcrc@finjan.com Cc: submissions@packetstormsecurity.org; news@securiteam.com; bugtraq@securityfocus.com Subject: Re: Bypassing the Finjan SurfinGate URL filter Marc, info@finjan.com seems to be a generic "catch-all" address for anything that doesn't have a more specific purpose. While I agree that it would be nice to have a reply, I wouldn't necessarily rely on it for a critical situation. Their "support case form" might have been a better way to get their attention quickly. :) In any case, I made one 30 second call to the Finjan support line, and a *very* helpful individual directed me to contact their Malicious Code Research Center (mcrc@finjan.com). I am copying them on this reply, so that they have an opportunity to address your concerns ASAP. <soapbox> I urge anyone that is willing to take the time and effort necessary to write/research vulnerability reports to also be willing to take a minimum amount of effort to notify the vendor. If you aren't, the damage is sometimes worth more than the good that is done. </soapbox> Disclaimer: I am not associated in any way with Finjan. I am simply a security professional that wants to make sure that the information is in the hands of the correct people. Best regards, -- Ken Fischer, CCNA <kenf@junebug.org> PGP Fingerprint: 9523 54B6 D67B BBFB 53B3 2F3B 7E81 0891 C495 CB50 -- On Wed, 4 Sep 2002, Marc Ruef wrote: > Hi! > > I've found two possibilities to bypass the Finjan SurfinGate URL filter > - Tested with Finjan SurfinGate 6.0x on Windows NT 4.0 and 2000. > > 1. IP Tunnel > > Normally humans use domain- and hostnames instead of IP addresses. Most > users will add entries like "www.computec.ch" in the URL list of Finjan > SurfinGate to filter specific webservers. > > The main problem is, that the SurfinGate never does a lookup of the > contacted hostname. Now you can use IP addresses instead of hostnames to > reach the wanted ressource. A limitation of this bypassing technique is, > that it does not work with webservers, that use virual hosts. > > This problem is very heavy, if you use the SurfinGate as a plugin, where > the internal processes don't work with hostnames (I think that > Checkpoint Firewall-1 does it that way). Try to apply a rule to the > proxy-mechanism for using always hostnames instead of IP addresses. > > A possible workaround is to add additionally to the hostnames the used > IP addresses. Attention if the ressource uses virual hosting or have > multiple ip addresses. This solution slows down the whole SurfinGate, > because there is a new filtering line. > > 2. Dot/FQDN Tunnel > > In the Internet you have to use domain- or hostnames like > "www.computec.ch" to reach some webservers. Finjan SurfinGate does > identify the end of a domainname by a slash ("/"). > > If you add a simple dot at the end of the domainname (e.g. > "www.computec.ch."), the filtering mechanism could not catch the > request. The same problem is described for SuperScout in > http://www.securiteam.com/securityreviews/5SP010U0KQ.html . Additionally > it is possible to encode the dot like "%2E". > > A possible workaround is to add additionally to the normal hostname > (e.g. "www.computec.ch") the FQDN (fully qualified domain name) like > "www.computec.ch.". This slows down the whole SurfinGate also, because > there is a new filtering line. > > A tool for automated exploitation and a german analysis of the > vulnerability is available at > http://www.computec.ch/software/firewalling/url_filtering-tunnel/ > > I wrote one and a half week ago an email to info@finjan.com and asked > for some patches or workarounds. It seems that they droped my email and > I don't even get a reply. I think that they will not publish a patch. > > A big thanks fly to Andrea Covello (http://www.covello.ch) and Guerkan > Senguen (http://www.linuks.mine.nu) for helping me discovering this > thread. > > Bye, Marc > > -- > Computer, Technik und Security > http://www.computec.ch >
