Hello, We might be able to fix this by simply doing a ping to the website before connecting, so that the IP of the host specified matches the connect field. In any case, the consistency of the host and connect is indeed a big design flaw. - Vikram On Mon, Apr 16, 2012 at 6:12 PM, Gabriel Menezes Nunes <gab.mnunes@xxxxxxxxx> wrote: > # Exploit Title: McAfee Web Gateway URL Filtering Bypass > # Date: 16/04/2012 > # Author: Gabriel Menezes Nunes > # Version: McAfee Web Gateway > # Tested on: McAfee Web Gateway 7.0 > # CVE: CVE-2012-2212 > > > I found a vulnerability in McAfee Web Gateway 7 that allows access to > filtered sites. > The appliance believes in the Host field of HTTP Header using CONNECT method. > Example > > CONNECT 66.220.147.44:443 HTTP/1.1 > Host: www.facebook.com > > > It is blocked. > > CONNECT 66.220.147.44:443 HTTP/1.1 (without host field) > > It is blocked. > > But: > > CONNECT 66.220.147.44:443 HTTP/1.1 > Host: www.uol.com.br (allowed url) > > The connection works. > > From here, I can send SSL traffic without a problem. This way, I can > access any blocked site that allows SSL connections. > Others test that I did is convert GET methods in CONNECT methods. > > GET http://www.facebook.com HTTP/1.1 > Host: www.facebook.com > > in > > CONNECT 66.220.147.44:80 HTTP/1.1 > Host: www.uol.com.br > > It will connect. > > and after it is possible to send the GET packets. It will work! > > This vulnerability is different from the CONNECT Tunnel method. The > flaw is on the Host field processing. The appliance believes on this > field. > > So, any sites can be accessed. URL filtering in this device/software > is irrelevant and useless. > One of the most important (if not the most important) feature of this > kind of device is to protect the network in accessing specific URLs. > So, this flaw is very dangerous, and it can be implemented even in > malwares, bypassing any protection. > I developed a python script that acts like a proxy and it uses this > flaw to access any site. > This tool is just a proof of concept. -- Regards, Vikram Dhillon ~~~ To perceive is to suffer.
