mailing list archives
Re: 3Com SuperStack 3 Firewall Content Filter Exploitable Via Telnet
From: Niels Bakker <niels=bugtraq () bakker net>
Date: Wed, 5 Mar 2003 21:44:11 +0100
* bit_logic () s-mail com [Wed 05 Mar 2003, 21:35 CET]:
C:\>telnet www.blockedsite.com 80
GET / HTTP/1.1
Given the nature of Telnet, the request is sent to the server one
character at a time; obviously, the filter cannot examine packets with a
single character of valid data, so each packet makes it through with no
Actually, in these situations, telnet works line-based. That's also why
backspace works (modulo matching terminal emulator and stty settings).
problem. The blocked server waits until it receives all packets, then
pieces them together and responds to the request. Incoming traffic isn't
monitored, so the user is easily able to receive the source code of the
page he requested via telnet.
Does a filtering product exist that has not had this flaw in the past?
Unfortunately, I do not have the necessary equipment at my disposal to
further test the exploit, although I know for a fact that it works, at
least on firewalls with basic filter configurations. I also have yet to
come up with a successful work-around for this bypass, as it occurs at a
very low level. If anyone has any ideas, I'm all ears. Thanks.
Force all HTTP traffic via a proxy that sends out its own HTTP requests
in one packet; don't try to solve social problems with technical
solutions; and above all, realise that filtering in this way is utterly