Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] HTTP Proxy Security Hole!!!

To: [email protected]
Subject: Re: [FW-1] HTTP Proxy Security Hole!!!
From: Volker Tanger <[email protected]>
Date: Tue, 19 Feb 2002 15:37:59 +0100
Comments: cc: [email protected]
Organization: DiSCON GmbH
References: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
User-agent: Mozilla/5.0 (Windows; U; WinNT4.0; de-DE; rv:0.9.4) Gecko/20011019 Netscape6/6.2

Greetings!

Snyder, Ryan wrote:

Try this on your firewall if you are running HTTP Proxy!  Checkpoint has yet
to release a fix.

[...]

I also found out that one can telnet to machines on a network that are
protected by the Firewall.

I just tested and confirmed for FW1 V4.1 SP5 (plus hotfixes).


Even worse: you can connect to any TCP port on any machine the firewall
can connect to. Telnet, SMTP, POP, etc.

Restrictions found:
       - connects are only possible if the firewall module
         is allowed access (i.e. via policy/properties,
         specific rules or "Any  (dst) (svc)..." rules
       - you have to allow "CONNECT" - is enabled if you allowed
         "Tunneling" (General tab) connection method or did not
         delete the "*" in "Other" Methods (Match tab)

Fast workarounds:
       - Change your ressource settings to filter out CONNECT
         commands, i.e.
               * disable HTTP tunneling
               * check that "Other" method is specified NOT to
                 match CONNECT (i.e. remove the default wildcard)
       - disallow access from the firewall module (->Properties)
       - replace in all your rules containing the service
         HTTP+Resource this part with plain HTTP. Yes, you loose

some content security but at least you don't compromise

your other servers


The thing that really concerns me is, that this general problem has been
known to be an issue with plain HTTP proxies like the Squid since ages
(see e.g. http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14). And
why didn't Checkpoint prevent or at least document this?

Puzzled

Volker

--

-------------------------------------------------------------------
[email protected]                                 discon GmbH
IT-Security Consulting                           Wrangelstrasse 100
http://www.discon.de/                         10997 Berlin, Germany
-------------------------------------------------------------------
PGP-Fingerprint: 5323 a4f7 a7c2 b8ef 4653 05ce d2ea 2b74  b94c c68e

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] HTTP Proxy Security Hole!!!
  - From: Don <[email protected]>
- Re: [FW-1] HTTP Proxy Security Hole!!!
  - From: "Gregory D. Fraize" <[email protected]>

References:
- [FW-1] HTTP Proxy Security Hole!!!
  - From: "Snyder, Ryan" <[email protected]>

Prev by Date: Re: [FW-1] It is posible migrate from CP4.1 to NG ??
Next by Date: Re: [FW-1] Nokia/Checkpoint Performance Tuning Papers?
Previous by thread: [FW-1] HTTP Proxy Security Hole!!!
Next by thread: Re: [FW-1] HTTP Proxy Security Hole!!!
Index(es):
- Date
- Thread