SurfControl SuperScout can be Bypassed Using Split Packets
20 Jun. 2001
Summary
SurfControl's SuperScout software offers an advanced web filtering technology for the corporate environment. A security vulnerability in the product allows users to bypass the restriction imposed on them by splitting up the HTTP requests into two packets.
Credit:
The information has been provided by Neil Desai.
You can bypass the software by using a proxy server before your traffic is looked at by SurfControl SuperScout. SurfControl only looks at packets that have the HTTP GET request and "Host:" information inside it. If you split up the request, so that HTTP GET request is not in the same packet as the "Host:" information then SurfControl will ignore the request, and allow it to continue unmonitored.
You can easily split up HTTP requests by using a proxy server before you get to the node that is doing the Internet monitoring.
Proxies types you can use:
1) If you have Compaq PC's or servers that are not patched you can proxy off the Insight Manager software.
2) If you have PERL installed you can use RFProxy, HTTPush or Pudding. (These programs were intended for the testing of IDS evasion techniques but work wonders for Internet monitoring/blocking evasion).
