COMMAND
AppletTrap
SYSTEMS AFFECTED
Trend Micro AppletTrap 2.0
PROBLEM
Following is based on a eDvice Security Services Advisory. Trend
Micro AppletTrap is a product for blocking malicious Java
applets, malicious JavaScript and unsecured ActiveX controls at
the gateway. The product includes an option for URL filtering.
eDvice recently conducted a test of AppletTrap's ability to
filter URLs at the gateway. AppletTrap includes the ability to
restrict access to selected URLs. It does not include the option
to restrict access to all URLs except for selected URLs.
AppletTrap includes some design and implementation flaws, which
allow an attacker to easily bypass restrictions set by the
product administrator. This can be used by internal users to
bypass AppletTrap's restrictions and by authorized web servers to
redirect the user to unauthorized web servers.
eDvice found four problems with AppletTrap's URL filtering
mechanism:
1) Double slash:
Restricted access to http://source.com/restricted could be
bypassed by typing: http://source.com//restricted.
2) URL encoding:
The same restriction could also be bypassed by typing:
http://source.com/r%65stricted
3) Resolving IP addresses:
The same restriction could be bypassed by typing the IP
address of source.com instead of the domain name (the
opposite scenario works as well. I.e. bypassing IP address
restriction by using the domain name).
4) Dot notation:
Restricting access to a certain IP address (e.g.
http://192.16.100.100) could be bypassed by typing:
http://192.016.100.100 or even http://00192.16.100.100
SOLUTION
Trend Micro was notified on 28 June 2001. The problem was
escalated to their QA department on the same day. No response.
Do not rely on Trend Micro AppletTrap for URL filtering until
Trend Micro fixes the problems.