 
Full Disclosure mailing list archives
Astaro Security Gateway - bypass using whitelist domain pattern weakness
From: upsploit advisories <upsploitadvisories () upsploit com>
Date: Fri, 10 Feb 2012 11:00:20 +0000
*Advisory Information* Title: Astaro Security Gateway - bypass using whitelist domain pattern weakness upSploit Ref: UPS-2011-0041 *Advisory Summary* Astaro Security Gateway's default Web Filtering Exceptions allow specially-named domains to bypass security features of the firewall. *Vendor* Astaro *Affected Software* Astaro Security Gateway "Astaro Security Gateway hardware, software, and virtual appliances provide full Unified Threat Management protection. All platforms include the complete feature set and the same ease-of-use." - http://www.astaro.com/ *Description of Issue* Astaro Security Gateway - Home edition was used, other versions may be affected. In the ASG WebAdmin console, choose Web Security, Web Filtering, Exceptions. The following regular expressions form a default whitelist that allow bypassing of the firewall's features at varying levels to achieve compatibility (one would assume): ^https?://[A-Za-z0-9.-]*adobe.com/ ^https?://[A-Za-z0-9.-]*apple.com/ ^https?://[A-Za-z0-9.-]*windowsupdate.com/ ^https?://[A-Za-z0-9.-]*microsoft.com/ However, a savvy attacker need only serve malware from a drive-by web site named www.exampleadobe.com (which would match the first regular expression above) and the features of the firewall that would be bypassed include: Antivirus / Extension blocking / Content Removal / Authentication / URL Filter. The regular expressions need to be fixed to ensure the domain cannot be prefixed with other letters. *PoC* Use of a domain name such as www.exampleadobe.com to serve up EICAR virus (untested). *Fix* Update to the latest version *Credits* Timeless Prototype *References* http://www.astaro.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Astaro Security Gateway - bypass using whitelist domain pattern weakness upsploit advisories (Feb 10)


