Bugtraq mailing list archives

Raptor 6.5 http vulnerability

From: Lysel Christian Emre <chlys () WMDATA COM>
Date: Sat, 24 Mar 2001 17:55:29 +0100

1. Problem Description

        The Raptor firewall is vulnerability for forwarding http
        request on other port numbers than 80, if a rule allows http
        traffic.

        Redirect rules does not affect this problem.

        When an extern or internal client, configures itself to use
        the nearest interface as proxy, it's possible to access other
        ports that 80 on the target host.

        Only the http protocol is allowed and only to a range of TCP
        ports:

                TCP, 79-99 and TCP, 200-65535.

        If a port outside this range is targeted, an Alert
        will be issued.

        An example of what is vulnerability could be used for:

                Setting a Raptor firewall up, allowing Universe to
                access a local web server (host: webserver), listening
                on port 80 (normal website) and 2000 (admin
                site). This would give external users access to the
                admin site listening on port 2000, if the client is
                configured to use the external interface as a proxy
                server (for lynx: "export http_proxy =
                http://external-interface:80/ ; lynx
                http://webserver:2000/";).
        
        This works not only for external users, but also for internal
        users.

        Testing of the Secure Socket Layer has not been performed.



2. Vulnerable Versions

        Raptor firewall 6.5.

2.1 Non Vulnerable Versions

        Raptor firewall 6.0.2.
        Older versions, not tested.

3. Solution

        1. Use httpd.noproxy in the affected rule.

        2. Downgrade to version 6.0.2

        3.  Apply hotfix SG6500-20000920-00 and SG6500-20001121-00,
        
ftp://ftp.axent.com/pub/RaptorFirewall/Patches/6.50/Internal/http-int.zip

          Hot Fix SG6500-20000920-00 9/20/2000

          if client uses firewall as proxy, firewall will forward
          request to ports other than 80 on server. this vulnerability
          is fixed by closing all ports for proxy except 80 and port
          specified by httpd.allow_proxy_to_port_xxx=1.

          Hot Fix SG6500-20001121-00 11/21/2000

          this hotfix removes the implementation of
          httpd.allow_proxy_to_port_xxx.  Without this implementation,
          firewall could be used as proxy to access (inbound and
          outbound) http ports other than 80.

3.1 Workaround:

        1. Disable the http proxy, and use the TCP proxy. But this
        will introduce other security concerns.

        2. Disable other listeners at the webserver.


4. References

        Found by:

        Benny Amorsen, benny_amorsen () hp com and
        Christian E. Lysel, chlys () wmdata com

        Reported to Axent the 29th Aug 2000.

--
Christian E. Lysel, Senior Security Consultant,
WM-data Infra Solutions eCom, Lautrupvang 10, DK - 2750 Ballerup
Phone +45 44 78 40 00, Mob +45 44 78 40 29, Fax +45 44 78 40 04

Current thread:

Raptor 6.5 http vulnerability Lysel Christian Emre (Mar 25)
- Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 26)
  - Re: Raptor 6.5 http vulnerability Erik Groennerud (Mar 27)
- <Possible follow-ups>
- Re: Raptor 6.5 http vulnerability Lysel Christian Emre (Mar 26)
  - Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 26)
    - Re: Raptor 6.5 http vulnerability Alexander Bochmann (Mar 27)