OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: eDvice Security Services (supportedvicetech.com)
Date: Tue May 29 2001 - 16:58:51 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    29 May 2001

    This is the third of 3 sequential advisories we are issuing regarding
    Aladdin eSafe Gateway.

    Status
    --------
    The entire content of this advisory was reviewed and acknowledged by
    Aladdin.

    Product Background
    --------------------------
    eSafe Gateway is an Internet Content Security product.

    You can configure eSafe Gateway to remove scripts (VBScripts, JavaScripts)
    and other executable tags from incoming HTML documents. Alternatively, the
    administrator can ban certain scripting commands from appearing inside
    scripts. The banned commands will be removed, while the rest of the HTML
    page is left intact.

    Scope
    --------
    eDvice recently conducted a test of eSafe's ability to remove scripts from
    HTML documents. Although scripts are widely used by many web-sites, some
    organizations requesting to allow only limited use of Internet access from
    their internal network, prefer to disable scripting capabilities in order to
    avoid various known, as well as yet to be found, browser-based attacks.

    The Findings
    ----------------
    eSafe does not recognize scripting tags constructed using extended Unicode
    notation. This allows an attacker to bypass eSafe script filtering mechanism
    and introduce malicious code into an organization.

    Details
    ---------
    eSafe gateway analyzes the incoming HTML file and searches for the keyword
    "<SCRIPT'. From the moment the keyword was found, eSafe looks for a
    following "</Script>" keyword and then replaces the entire content between
    these keywords with spaces.

    However, browsers such as Internet Explorer accept extended Unicode
    character representation within HTML files. If the string "<SCRIPT" is
    replaced with some extended Unicode representation, then eSafe will not
    filter the tag and the browser will run the script.

    Exploit
    ----------
    See Attached file (unzip it first).

    To repeat this vulnerability, place the file on your web server and
    configure eSafe to remove all scripts. Access the file using the browser and
    you will see the message "hello" on your screen. This is a message generated
    by a VBScript script that should have been filtered.

    Solution
    -----------
    Do not rely on eSafe Gateway version 3.0 for HTML filtering until Aladdin
    fixes the problem.
    Aladdin will publish a workaround to avoid this vulnerability and will
    address this issue in the next release of eSafe Gateway.

    ====================
    Discovered by:
    eDvice Security Services
    supportedvicetech.com
    http://www.edvicetech.com
    Tel: +972-3-6120133
    Fax: +972-3-6954837

    begin 666 script38a.zip
    M4$L#!!0````(`$=QO2JS]/CJP```/\````.````<V-R:7!T,SAA+FAT;6P]
    MC\$*D 0AN]![S#LW>P40:YM660"K4%'3?;<F%S3<>HY^AU(NS-4JQ.'_SS
    MS\>,X_-Z78[CL^\:<. <0]"+V"4S%G(5AZ/50F)D69(B6!BG-3F"/"5A6E
    MT+#&\J ,#'I]\E^/?VV4-[03/.L1Q(G("XETPV?6D$""F%GR4JHK_;HM?L]D
    MH^ +OF2N8[>L`_MWVSB:[FI6S_<CSE6&H$5Z*L5)TNO^&U4OH66.0'RIM2'5
    MT_X/&M/8'.ZMLGW[`U!+`0(4`!0````(`$=QO2JS]/CJP```/\````.````
    M``````$`( "V0````!S8W)I<'0S.&$N:'1M;%!+!08``````0`!`#P```#N
    %````````
    `
    end