August 2015
Unified threat management (UTM) refers to when multiple security features or services are combined into a single device within your network. Using UTM, your network’s users are protected with several different features, including antivirus, content filtering, email and web filtering, anti-spam, and more.
Please note that republishing this article in full or in part is only allowedunder the conditions described here.
This article describes several ways of employing uncommon or invalid HTTPresponses to transport malware from server to client without being detected bySophos UTM Web Protection.All of these bypasses got reported to Sophos and most of them are fixed by now.
Sophos UTM is a firewall with deep inspection capabilities, i.e. not a simplepacket filter. Formerly called IPS or Secure Gateway these class of firewallsare now mostly advertised as Unified Threat Managment (UTM) or Next GenerationFirewall (NGFW).
According totheirproduct page Sophos sees its UTM and Next-Gen Firewall as 'The UltimateSecurity Package' and sees itself as an 'Industry leader' because of reports ofGartner and 'Sophos SG Series was named Best UTM Solution at the SC Awards2015.'.
Web traffic is handled by Sophos UTM at the application layer by aproxy which allows deeper inspection and also modification of the content.
From theproduct description of Sophos UTM Web Protection:
We block the latest web threats using advanced techniques like JavaScript emulation andLive Protection cloud lookups to detect malicious web code before it reaches the browser. Italso prevents infected systems from calling home with sensitive data. Our engine inspectsall HTTP, HTTPS and FTP traffic, including active content like Active X, Flash, cookies,VBScript, Java and JavaScript.
Unfortunately, in order to inspect the web code their engine must get reliableaccess to the content first. And while the trivial bypass bysimply using the deflate compresssionwas fixed in 12/2014 a closer look revealed more bypass vectors.
The first bypass was possible by using multiple compressions at the same time.This is the same attack I've alreadypublished in 07/2013 where I reportedbypasses for several IDS and virustotal.com. And while Sophos UTM could not bebypassed if the first encoding was gzip, it could be bypassed when the firstencoding was deflate like in
The issue was reported to Sophos on 2015/05/03 and was fixed with version 9.314-13
on 2015/07/31. Affected are all browsers which support multiplecompressions, that is all modern browsers except Internet Explorer. Fromtheannouncement:
Unfortunately this short description does not tell the impact of the problem,i.e. the full bypass of protection. Nor does Sophos acknowledge that this bugreport came from an external researcher (me).
The Content-length is used to give the size of the content. By using a weirdvalue for the Content-length together with line-folding another bypass was possible.To bypass the firewall with theEICAR test virus (68 byte) thefollowing response could be used:
Different variations of this bypass were possible.
The issue was reported to Sophos on 2015/05/13 and was fixed with version 9.314-13on 2015/07/31. All modern browsers are affected. I did not find anyissue in the change log pointing to this exact problem, but from thecommunicaton with Sophos I know that there was some code cleanup which probablyfixed this issue too.
Browsers are way too tolerant when parsing HTTP. It looks like that in case ofspecifically broken responses Sophos UTM does not inspect the content butinstead simply passes the broken response to the client. Such broken responseheaders might contain plain invalid header lines, fields which are notASCII-only or simple HTTP/0.9 responses which do not contain any headers.Example:
Or simply giving the HTTP version in lower case worked too:
All modern browsers are affected by this issue.It was reported to Sophos on 2015/06/25 and was partly fixed with version 9.314-13on 2015/07/31. But, this fix needs to be explicitly enabled byactivating the option 'Block unscannable and encrypted files' because Sophosseems to fear that customers run into compatibility issues with broken websites. They are probably right in that customers will notice if a web site getsbroken by the firewall but will not notice if a malicious website simplybypasses the firewall. Too bad a firewall should protect against the latter one:(
There is no specific issue in the change log about the bug and it's impact andthat it is not fixed in the default settings. Also, the issue is only partlyfixed since some bypasses still work (for more information try my test tooldescribed below).
Even though Sophos did not publically acknowdledge me for the bug reports and eventhough they did not manage to fix everything I still like to thank them fortheir courage to offer a version of their UTM for home use and that they are open for bug reports from outside.
And while these kind of bypasses can be trivially executed by an attacker oneshould be aware that firewalls from other vendors are not necessarily better inprotecting the client. I'm currently investigating reports that some highlypraised Next Generation Firewalls by other vendors can be bypassed with similartechniques.
Thus if you are behind a firewall and are not yet fully lulled into theadvertisements of your vendor you might want to check out by yourself howresistent your firewall is against these kind of attacks. This check might beas simple as pointing you browser to my test siteand run the 'Bulk test firewall evasion with EICAR test virus' there. This testtries to download the harmlessEICAR test virus which shouldbe detected by every virus scanner. But even though no harm will be done to yourcomputer by running these tests some firewall vendors still consider this test sitemalicious, maybe because it shows that their own products can be bypassed. Inthis case you might set up your own server by using thepublically available code.
Information about other kinds of bypasses at the application level can be foundat my page about employing the semantic gap forbypasses.