COMMAND

    NetGap

SYSTEMS AFFECTED

    SpearHead NetGap

PROBLEM

    Following  has  been  discovered  by  eDvice  Security   Services.
    SpearHead's NetGAP  appliance physically  disconnects a  company's
    network from the Internet.   The product consists of two  separate
    computers, an  Untrusted CPU  and a  Trusted CPU,  that are  never
    directly connected at any given time.

    NetGap includes a content  checking engine.  This  engine supports
    the filtering of specified file types, while being downloaded over
    HTTP.   For  example,  the  security  administrator  can   prevent
    internal users from downloading  executable (.exe) files by  using
    the content checking engine to filter exe files.

    Using  Unicode  encoding  techniques,  a  user (or a malicious web
    site) can bypass NetGap's filtering engine.

    Web servers accept Unicode representation of characters in the URL
    by  using  a  "%nn"  notation.  The  NetGap™  URL  filter does not
    interpret  correctly  URLs  containing  Unicode  representation of
    characters.  Consequently, the file

        http://www.target.com/evilfile.exe

    will go undetected by NetGap if represented as

        http://www.target.com/evilfile.ex%65

    However,  when  this  URL  reaches  the  web  server,  it  will be
    interpreted exactly the same as

        http://www.target.com/evilfile.exe

    and the file will be downloaded into the user's desktop.

SOLUTION

    '%'  encoding  is  used  for  the  encoding  of  any   'non-legal'
    characters in URL format strings.  The bug is that netgap does not
    'URL decode' the string before doing comparisons.

    '%'  (URL)  Encoding  is  *not*  unicode  encoding  - unicode is a
    multibyte  character  set,  which  uses  binary values outside the
    32-127 range of printable ASCII.  When unicode characters are used
    in URLs,  they are  usually/often expressed  in 'utf-8'  encoding,
    which uses  a short  sequence of  binary values  to encode  a full
    unicode character.  Many of  the values used in utf-8  encoding of
    unicode  are  illegal  in  URLs  without  using  'URL encoding' (%
    escaping), but not all % escaped characters represent either utf-8
    or unicode...  This is often  mixed up because a number of  MS IIS
    vulnerabilities  recently  have  been  due  to incorrect 'unicode'
    decoding  and/or  incorrect  detection  of  utf-8  encoded unicode
    characters,  some  of  which  was  due  to  ambiguitites  in   the
    checking/removing of URL encoding.  However, many more web  server
    bugs  are  related  solely  to  the  common  mistake of simply not
    removing URL encoding  before doing security  checks, such as  the
    one demonstrated in NetGAP.

    The problem was fixed in build 78 of the NetGAP software.