Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Security App Flaws :: win5112.htm

FW-1 HTTP proxy allow to bypass security policies
20th Feb 2002 [SBWID-5112]

	FW-1 HTTP proxy allow to bypass security policies


	FW-1 4.1 SP5 (with hotfixes)


	Volker Tanger reported following :

	 quite known proxy vulnerability was found for FW1 V4.1 SP5 (plus

	hotfixes) - thanks to Ryan Snyder  for  announcing  the  first  bits  on
	Firewall-1 mailing list.

	If you connect to a server you are allowed to connect to via HTTP  proxy
	(e.g. a common rule is \"Any / WebServer / http->ressource\"). Then  use
	the CONNECT method to connect to a different server,  e.g.  an  internal


		you =

		Webserver =

		Internal Mailserver =


		Rule allows:  Any  Webserver http->ressource


		connect with \"telnet 80\" to the webserver and enter



		response: mail server banner - and running SMTP session e.g.

		to send SPAM from.



	You can connect to any TCP port on any machine the firewall can  connect
	to. Telnet, SMTP, POP, etc.

	Restrictions found:
	 - connects are only possible if the firewall module

	   is allowed access (i.e. via policy/properties,

	   specific rules or \"Any  (dst) (svc)...\" rules

	 - you have to allow \"CONNECT\" - is enabled if you allowed

	   \"Tunneling\" (General tab) connection method or did not

	   delete the \"*\" in \"Other\" Methods (Match tab)


	The thing that really concerns me is,  that  this  general  problem  has
	been known to be an issue with plain HTTP proxies like the  Squid  since
	ages (see e.g.
	And why didn\'t Checkpoint prevent or at least document this?



	Fast workarounds:
	 - Change your ressource settings to filter out CONNECT

	   commands, i.e.

		* disable HTTP tunneling

		* check that \"Other\" method is specified NOT to

		  match CONNECT (i.e. remove the default wildcard)

	 - disallow access from the firewall module (->Properties)

	 - replace in all your rules containing the service

	   HTTP+Resource this part with plain HTTP. Yes, you loose

	   some content security but at least you don\'t compromise

	   your other servers




TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH