Check Point Statement on use of HTTP Connect commands As noted in the original posting, no escalation of privilege is granted via the use of HTTP Connect commands with the FireWall-1 HTTP security server; that is, connections via the HTTP security server are blocked unless specified in the rule base. Therefore, a properly constructed rule base mitigates the effect of this malicious use of a valid function of an HTTP proxy. Check Point is taking action to give administrators enhanced control of this type of connection, and will offer that improved functionality in the next product update. ------------------------ From: Volker Tanger <volker.tangerat_private> Subject: CheckPoint FW1 HTTP Security Hole Date: Tue, 19 Feb 2002 16:05:22 +0100 To: bugtraqat_private > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Greetings! > > A quite known proxy vulnerability was found for FW1 V4.1 SP5 (plus > hotfixes) - thanks to Ryan Snyder for announcing the first bits on > Firewall-1 mailing list. > > If you connect to a server you are allowed to connect to via HTTP > proxy (e.g. a common rule is "Any / WebServer / http->ressource"). > Then use the CONNECT method to connect to a different server, e.g. > an internal mailserver. > > Example: > you = 6.6.6.666 > Webserver = 1.1.1.1 > Internal Mailserver = 2.2.2.2 > > Rule allows: Any Webserver http->ressource > > connect with "telnet 1.1.1.1 80" to the webserver and enter > CONNECT 2.2.2.2:25 / HTTP/1.0 > > response: mail server banner - and running SMTP session e.g. > to send SPAM from. > > You can connect to any TCP port on any machine the firewall > can connect to. Telnet, SMTP, POP, etc. > > Restrictions found: > - connects are only possible if the firewall module > is allowed access (i.e. via policy/properties, > specific rules or "Any (dst) (svc)..." rules > - you have to allow "CONNECT" - is enabled if you allowed > "Tunneling" (General tab) connection method or did not > delete the "*" in "Other" Methods (Match tab) > > Fast workarounds: > - Change your ressource settings to filter out CONNECT > commands, i.e. > * disable HTTP tunneling > * check that "Other" method is specified NOT to > match CONNECT (i.e. remove the default wildcard) > - disallow access from the firewall module (->Properties) > - replace in all your rules containing the service > HTTP+Resource this part with plain HTTP. Yes, you loose > > some content security but at least you don't compromise > > your other servers > > > The thing that really concerns me is, that this general problem has > been known to be an issue with plain HTTP proxies like the Squid since > ages (see e.g. http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14). > And why didn't Checkpoint prevent or at least document this? > > Puzzled > Volker > > - -- > > - ------------------------------------------------------------------- > volker.tangerat_private discon GmbH > IT-Security Consulting Wrangelstrasse 100 > http://www.discon.de/ 10997 Berlin, Germany > - ------------------------------------------------------------------- > PGP-Fingerprint: 5323 a4f7 a7c2 b8ef 4653 05ce d2ea 2b74 b94c c68e > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (MingW32) - WinPT v0.0.3 (WINNT) > Comment: This is the WinPT config test > > iEYEARECAAYFAjxyaZgACgkQ0uordLlMxo6yhQCeIzM/tWK3HCEVM/V816WSFpgh > YhMAoJX/uDKzPE1NKO9XKzizs3sxZWiW > =XumZ > -----END PGP SIGNATURE----- > ---------------End of Original Message----------------- ---------------------------------------------------------------- Scott.Registerat_private || FireWall-1 Product Manager Check Point Software Technologies, Inc. 2255 Glades Road / Suite 324A \ Boca Raton, FL 33431 Voice: 561.989.5418 | Fax: 561.997.5421 | 02/24/02 20:25:30 ----------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Feb 25 2002 - 12:21:17 PST