This vulnerability exists in version 3.0.2 of SurfControl for MS Proxy.
Not only does it let you hit the first page using the octal address, but it
allows you to surf the entire site. We tested it on 3 different systems
logged in as different users and were able to make multiple visits to the
same site.
SurfControl has confirmed this to be a vulnerability in this version. No
ETA for a patch has been given at this point.
> -----Original Message-----
> From: Don Weber [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, March 21, 2001 5:42 PM
> To: Witter, Franklin; [EMAIL PROTECTED]
> Subject: RE: SurfControl Bypass Vulnerability
>
> is this with a particular version, I tried it and as usual it lets me
> 'bypass' the first time but not any subsequent attempts, and if I use the
> octal format on one computer, a second or any subsequent computers will
> NOT get to the site.
>
>
> -----Original Message-----
> From: Bugtraq List [mailto:[EMAIL PROTECTED]]On Behalf Of
> Witter, Franklin
> Sent: Tuesday, March 20, 2001 10:07 AM
> To: [EMAIL PROTECTED]
> Subject: SurfControl Bypass Vulnerability
>
>
> It appears that there is yet another way to bypass the site blocking
> feature
> of SurfControl for MS Proxy.
>
> Our configuration:
>
> We have set up our rules to deny access to anyone attempting to reach
> sites
> classified as Adult/Sexually Explicit, Hacking, etc.
> That would mean that anyone trying to reach www.blockedsite.com would
> normally be denied access to the site.
>
> The workaround:
>
> 1. First, do an nslookup on www.blockedsite.com to get the IP address of
> the site -- xxx.xxx.xxx.xxx
> 2. Next, convert each octet to an octal number using the windows
> calculator
> -- yyy.yyy.yyy.yyy
> 3. Insert eight (8) leading zeros in the first and third octets and seven
> (7) leading zeros in the second and fourth octets --
> 00000000yyy.0000000yyy.00000000yyy.0000000yyy
> 4. Type the modified octets into your browser's address bar and, viola!,
> your are successfully bypassing the SurfControl filter.
>
> I have contacted SurfControl about this but have had no response.
>
> If anyone has any suggestions for correcting this vulnerability, please
> let
> me know.
>
> Franklin Witter
> Network Security Specialist II
> 252-246-3546
> fax: 252-246-3463
> e-mail: [EMAIL PROTECTED]
