1. Problem Description
The Raptor firewall is vulnerability for forwarding http
request on other port numbers than 80, if a rule allows http
traffic.
Redirect rules does not affect this problem.
When an extern or internal client, configures itself to use
the nearest interface as proxy, it's possible to access other
ports that 80 on the target host.
Only the http protocol is allowed and only to a range of TCP
ports:
TCP, 79-99 and TCP, 200-65535.
If a port outside this range is targeted, an Alert
will be issued.
An example of what is vulnerability could be used for:
Setting a Raptor firewall up, allowing Universe to
access a local web server (host: webserver), listening
on port 80 (normal website) and 2000 (admin
site). This would give external users access to the
admin site listening on port 2000, if the client is
configured to use the external interface as a proxy
server (for lynx: "export http_proxy =
http://external-interface:80/ ; lynx
http://webserver:2000/").
This works not only for external users, but also for internal
users.
Testing of the Secure Socket Layer has not been performed.
2. Vulnerable Versions
Raptor firewall 6.5.
2.1 Non Vulnerable Versions
Raptor firewall 6.0.2.
Older versions, not tested.
3. Solution
1. Use httpd.noproxy in the affected rule.
2. Downgrade to version 6.0.2
3. Apply hotfix SG6500-20000920-00 and SG6500-20001121-00,
ftp://ftp.axent.com/pub/RaptorFirewall/Patches/6.50/Internal/http-int.zip
Hot Fix SG6500-20000920-00 9/20/2000
if client uses firewall as proxy, firewall will forward
request to ports other than 80 on server. this vulnerability
is fixed by closing all ports for proxy except 80 and port
specified by httpd.allow_proxy_to_port_xxx=1.
Hot Fix SG6500-20001121-00 11/21/2000
this hotfix removes the implementation of
httpd.allow_proxy_to_port_xxx. Without this implementation,
firewall could be used as proxy to access (inbound and
outbound) http ports other than 80.
3.1 Workaround:
1. Disable the http proxy, and use the TCP proxy. But this
will introduce other security concerns.
2. Disable other listeners at the webserver.
4. References
Found by:
Benny Amorsen, [EMAIL PROTECTED] and
Christian E. Lysel, [EMAIL PROTECTED]
Reported to Axent the 29th Aug 2000.
--
Christian E. Lysel, Senior Security Consultant,
WM-data Infra Solutions eCom, Lautrupvang 10, DK - 2750 Ballerup
Phone +45 44 78 40 00, Mob +45 44 78 40 29, Fax +45 44 78 40 04