Home page logo

bugtraq logo Bugtraq mailing list archives

Re: 3Com SuperStack 3 Firewall Content Filter Exploitable Via Telnet
From: Niels Bakker <niels=bugtraq () bakker net>
Date: Wed, 5 Mar 2003 21:44:11 +0100

* bit_logic () s-mail com [Wed 05 Mar 2003, 21:35 CET]:
C:\>telnet www.blockedsite.com 80

GET / HTTP/1.1
Host: www.blockedsite.com

Given the nature of Telnet, the request is sent to the server one 
character at a time; obviously, the filter cannot examine packets with a 
single character of valid data, so each packet makes it through with no 

Actually, in these situations, telnet works line-based.  That's also why
backspace works (modulo matching terminal emulator and stty settings).

problem.  The blocked server waits until it receives all packets, then 
pieces them together and responds to the request.  Incoming traffic isn't 
monitored, so the user is easily able to receive the source code of the 
page he requested via telnet.

Does a filtering product exist that has not had this flaw in the past?

Unfortunately, I do not have the necessary equipment at my disposal to 
further test the exploit, although I know for a fact that it works, at 
least on firewalls with basic filter configurations.  I also have yet to 
come up with a successful work-around for this bypass, as it occurs at a 
very low level.  If anyone has any ideas, I'm all ears.  Thanks.

Force all HTTP traffic via a proxy that sends out its own HTTP requests
in one packet; don't try to solve social problems with technical
solutions; and above all, realise that filtering in this way is utterly
useless censorship.

        -- Niels.

subvertise me

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]