VML overflow exploit causing iWeb Pages to be filtered by firewall

Question

VML overflow exploit causing iWeb Pages to be filtered by firewall

I've recently become aware that some firewalls are blocking iWeb sites because of a suspected "VML fill method overflow attempt". Specifically, something in the pages generated by iWeb are blocked by the Intrusion Detection filters on ZyXel firewalls.

For a discussion of this vulnerability, see http://osvdb.org/31250

Has anyone else run into this, or had people claim they can't see your page? It is ridiculous that a MS vulnerability would cause a page generated by an Apple program, hosted on an Apple site to be block from viewing by an Apple browser, but such is the world we live in.

Does anyone know what the offending code is or if there is a work around?

Many different Macs, Mac OS X (10.5.8)

Posted on Aug 7, 2009 6:02 AM

Reply

Answer 1

Tom Gewecke

Level 10

122,176 points

Aug 7, 2009 9:29 AM in response to phil's gone sailing

I've recently become aware that some firewalls are blocking iWeb sites because of a suspected "VML fill method overflow attempt".

Where exactly? I don't see anything about that on the link you provided.

Reply

Answer 2

Aug 7, 2009 9:39 AM in response to Tom Gewecke

Tom:

The situation where I'm experiencing this is with a user that is behind a ZyXEL firewall. If they try to go to any web.me.com page that was generated with iWeb, at some point in the down load of the necessary files for the page, the firewall blocks all traffic further traffic and the users is left with a perpetual spinner. According to the firewall's log, it has detected a "VML fill method overflow attempt," and thus terminated the conversation.

This particular filter is part of the default settings for ZyXEL's Intrusion Detection filtering.

The link I provided gives details about what the ZyXEL is trying to protect some windows machines from. You would not be able to reproduce this error unless you are behind a firewall looking for the same exploit.

Since most users are unable to control the firewalls they sit behind, I hope this could be addressed.

In one particular instance, when loading an iWeb "Welcome" page, the transmission ends when the status bar says Downloading 5 of 6, which according to the activity viewer, would be Welcome.css

Reply

Answer 3

Aug 7, 2009 9:44 AM in response to phil's gone sailing

Further information:

I've tried to load each of the 6 files listed in the activity viewer for the welcome page and have found that the firewall stops the transmission of

http://web.me.com/user/site/Scripts/iWebSite.js

it ends after downloading about 14k of the file.

Reply

Answer 4

Tom Gewecke

Level 10

122,176 points

Aug 7, 2009 10:11 AM in response to phil's gone sailing

The situation where I'm experiencing this is with a user that is behind a ZyXEL firewall.

Have you been able to verify that the problem affects multiple machines and the main different browsers on both PC's and Mac's?

Have you found any other references to the problem other than your own experience?

Since most users are unable to control the firewalls they sit behind, I hope this could be addressed.

I think you will probably need to ask the people who make the firewall why an ordinary .js or .css file would cause this problem with their product. You can normally easily download the exact file by putting its full url in the browser address bar on a machine not behind the firewall.

You could also inform Apple via the link below. But it seems unlikely they would be able themselves to duplicate the problem and thus even begin to figure out what is happening.

http://www.apple.com/feedback/iweb.html

Reply

Answer 5

Aug 7, 2009 10:51 AM in response to Tom Gewecke

Thanks Tom for your comments.

I have in fact determined that this affects all machines, PC, Macs, Linux, etc, that sit behind this firewall. Further, I've determined that the firewall does block the iWebSite.js file specifically, and that if you turn off filtering for this specific exploit, the firewall allows the page through.

I'm now trying to determine what signature the firewall is looking for. Based on Microsoft's TechNet bulletin on the topic, it should be scanning the response body of any HTTP request for the following strings "urn:schemas-microsoft-com:vml", "<v:", "v\:", "xmlns:v=", and finally "url(#default#vml)", non of which show up in the iWebSite.js file. It's possible I suppose that ZyXEL is looking for some other string to identity potential malicious sites, and possibly erroneously so. I'll have to wait until I hear from the. If you're not familiar with this kinda of technology, this firewall is doing so called Deep Packet Inspection (DPI), where the firewall is inspecting the content of each package for possibly malicious code--as any ordinary js or css file could possible contain such malicious code.

As this is obviously a case of an accidental match, I was hoping maybe someone had seen this before, as a little reformatting of the offending file, which I know now is iWebSite.js, would let the file pass the filter.

Reply