Corrections about Squid/McAfee URL Filtering Bypass Apr 30 2012 06:22PM
Gabriel Menezes Nunes (gab mnunes gmail com)
Hi Security Community,

I would like to correct the security vulnerabilities that I found recently.
All my research was made against a McAfee Web Gateway 7, and, after I
finished the proof of concept, I tested against Squid.
Both are vulnerable to SSL Translation Attack (converting hostnames to
IP). But Squid do not use the HOST field of HTTP protocol. But McAfee
uses it.
The latest default configuration of Squid blocks CONNECT methods for
all ports but 443. McAfee allows CONNECT for 80 and 443.
So the tests I made with Host header works ONLY for McAfee Web Gateway
and the translation of GET methods to CONNECT methods will work ONLY
for McAfee, because Squid blocks CONNECT for port 80. But, if the
proxy allows this kind of connection, the proxy can be vulnerable (for
translation of the HTTP methods) .
Sorry for the misunderstanding.

SSL CONNECT Translation Attack (Hostname to IP address):
McAfee Web Gateway 7: Vulnerable
Squid Proxy: Vulnerable

GET TO CONNECT Translation Attack:
McAfee Web Gateway 7: Vulnerable
Squid Proxy: Not Vulnerable

Using of Host field as a criteria for URL Filtering:
McAfee Web Gateway 7: Vulnerable
Squid Proxy: Not Vulnerable

So, Squid is ONLY vulnerable to the attacks if the filtered site is using SSL.
McAfee Web Gateway is vulnerable to all attacks.

If anyone has access to other proxies like BlueCoat, test and send a feedback.


Gabriel Menezes Nunes

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus