Bugtraq mailing list archives
Raptor 6.5 http vulnerability
From: Lysel Christian Emre <chlys () WMDATA COM>
Date: Sat, 24 Mar 2001 17:55:29 +0100
1. Problem Description The Raptor firewall is vulnerability for forwarding http request on other port numbers than 80, if a rule allows http traffic. Redirect rules does not affect this problem. When an extern or internal client, configures itself to use the nearest interface as proxy, it's possible to access other ports that 80 on the target host. Only the http protocol is allowed and only to a range of TCP ports: TCP, 79-99 and TCP, 200-65535. If a port outside this range is targeted, an Alert will be issued. An example of what is vulnerability could be used for: Setting a Raptor firewall up, allowing Universe to access a local web server (host: webserver), listening on port 80 (normal website) and 2000 (admin site). This would give external users access to the admin site listening on port 2000, if the client is configured to use the external interface as a proxy server (for lynx: "export http_proxy = http://external-interface:80/ ; lynx http://webserver:2000/"). This works not only for external users, but also for internal users. Testing of the Secure Socket Layer has not been performed. 2. Vulnerable Versions Raptor firewall 6.5. 2.1 Non Vulnerable Versions Raptor firewall 6.0.2. Older versions, not tested. 3. Solution 1. Use httpd.noproxy in the affected rule. 2. Downgrade to version 6.0.2 3. Apply hotfix SG6500-20000920-00 and SG6500-20001121-00, ftp://ftp.axent.com/pub/RaptorFirewall/Patches/6.50/Internal/http-int.zip Hot Fix SG6500-20000920-00 9/20/2000 if client uses firewall as proxy, firewall will forward request to ports other than 80 on server. this vulnerability is fixed by closing all ports for proxy except 80 and port specified by httpd.allow_proxy_to_port_xxx=1. Hot Fix SG6500-20001121-00 11/21/2000 this hotfix removes the implementation of httpd.allow_proxy_to_port_xxx. Without this implementation, firewall could be used as proxy to access (inbound and outbound) http ports other than 80. 3.1 Workaround: 1. Disable the http proxy, and use the TCP proxy. But this will introduce other security concerns. 2. Disable other listeners at the webserver. 4. References Found by: Benny Amorsen, benny_amorsen () hp com and Christian E. Lysel, chlys () wmdata com Reported to Axent the 29th Aug 2000. -- Christian E. Lysel, Senior Security Consultant, WM-data Infra Solutions eCom, Lautrupvang 10, DK - 2750 Ballerup Phone +45 44 78 40 00, Mob +45 44 78 40 29, Fax +45 44 78 40 04
Current thread:
- Raptor 6.5 http vulnerability Lysel Christian Emre (Mar 25)
- Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 26)
- Re: Raptor 6.5 http vulnerability Erik Groennerud (Mar 27)
- <Possible follow-ups>
- Re: Raptor 6.5 http vulnerability Lysel Christian Emre (Mar 26)
- Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 26)
- Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 27)
- Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 26)
- Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 26)