TUCoPS :: Security App Flaws :: win5112.htm

FW-1 HTTP proxy allow to bypass security policies
20th Feb 2002 [SBWID-5112]
COMMAND

	FW-1 HTTP proxy allow to bypass security policies

SYSTEMS AFFECTED

	FW-1 4.1 SP5 (with hotfixes)

PROBLEM

	Volker Tanger reported following :
	

	 quite known proxy vulnerability was found for FW1 V4.1 SP5 (plus

	hotfixes) - thanks to Ryan Snyder  for  announcing  the  first  bits  on
	Firewall-1 mailing list.
	

	If you connect to a server you are allowed to connect to via HTTP  proxy
	(e.g. a common rule is \"Any / WebServer / http->ressource\"). Then  use
	the CONNECT method to connect to a different server,  e.g.  an  internal
	mailserver.
	

	Example:
	

		you = 6.6.6.666

		Webserver = 1.1.1.1

		Internal Mailserver = 2.2.2.2

	

		Rule allows:  Any  Webserver http->ressource

	

		connect with \"telnet 1.1.1.1 80\" to the webserver and enter

		CONNECT 2.2.2.2:25 / HTTP/1.0

	

		response: mail server banner - and running SMTP session e.g.

		to send SPAM from.

	

	

	You can connect to any TCP port on any machine the firewall can  connect
	to. Telnet, SMTP, POP, etc.
	

	Restrictions found:
	 - connects are only possible if the firewall module

	   is allowed access (i.e. via policy/properties,

	   specific rules or \"Any  (dst) (svc)...\" rules

	 - you have to allow \"CONNECT\" - is enabled if you allowed

	   \"Tunneling\" (General tab) connection method or did not

	   delete the \"*\" in \"Other\" Methods (Match tab)

	

	The thing that really concerns me is,  that  this  general  problem  has
	been known to be an issue with plain HTTP proxies like the  Squid  since
	ages (see e.g.  http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14).
	And why didn\'t Checkpoint prevent or at least document this?
	

	

SOLUTION

	Fast workarounds:
	 - Change your ressource settings to filter out CONNECT

	   commands, i.e.

		* disable HTTP tunneling

		* check that \"Other\" method is specified NOT to

		  match CONNECT (i.e. remove the default wildcard)

	 - disallow access from the firewall module (->Properties)

	 - replace in all your rules containing the service

	   HTTP+Resource this part with plain HTTP. Yes, you loose

	   some content security but at least you don\'t compromise

	   your other servers

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH