[19861] in bugtraq
Re: Raptor 6.5 http vulnerability
daemon@ATHENA.MIT.EDU (Alexander Bochmann)
Tue Mar 27 03:52:17 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010327002632.F6370@styx.gxis.de>
Date: Tue, 27 Mar 2001 00:26:32 +0200
Reply-To: Alexander Bochmann <ab@GXIS.DE>
From: Alexander Bochmann <ab@GXIS.DE>
X-To: Lysel Christian Emre <chlys@wmdata.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <F117D97CF18AD3119A5240008308566A10ECA0@WMSI000273>; from
chlys@wmdata.com on Mon, Mar 26, 2001 at 10:34:30PM +0200
Hi,
...on Mon, Mar 26, 2001 at 10:34:30PM +0200, Lysel Christian Emre wrote:
> > I already noticed some months ago that the Raptor (6.0.2)
> > firewall's http gateway possibly leaks information about an
> > internal network with the method you described, if redirected
> It does not leaks information about the internal network. The apache
> webserver can leak information from error pages:
It does, because by trial-and-error, you can find out about
IP addresses used on an internal interface with connections
from an outside interface, with basically the same method
as you described it, and by just monitoring the answers returned
by the firewall.
(On another note, at least with 6.5, if spoofing protection
isn't activated and configured correctly on the internal
interfaces, you can also flood the internal network with
packets generated by the firewall as answer to (spoofed)
packets on the outside interface - if you know the networks
used internally.)
> > It's possible to brute-force IP addresses used on a DMZ
> > network: If you use the http gateway on the external
> > interface as proxy, you can access internal IPs (and
> > internal DNS names) directly - just try them all ;)
> This should generate some logs!
As always, there has to be someone watching them.
> And can also be blocked by: http.urlpattern
> > Example:
> > > setenv http_proxy http://external.firewall.name:80/
> > Now go on with something like...
> > > lynx -mime_header http://192.168.95.2:80/
> > HTTP/1.1 503 Service Unavailable
> > Server: Simple, Secure Web Server 1.1
> > [.. etc ..]
> This is the internal interface for the firewall, right?
Right, but as I said, this request can be sent from the
outside interface.
You can also use internal DNS names from an outside interface
when addressing the http gateway as proxy, but I think these
are usually more difficult to find out, unless you have
an additional information source.
> > ...or, if you are lucky, an answer from a web server:
> > % lynx -mime_header http://192.168.95.74:80/
> And this is a request to the webserver?
Yes, located on an internal network.
> http.remove-header, should remove the headers :)
I didn't know that one... But I don't think it would
help, as an IP address with a working web server on
it will usually return an answer that doesn't look like
the error page of the http gateway on the Raptor, which
will be indication enough you have found a valid
internal IP, and can go on from there.
Alex.
