OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: William D. Colburn (aka Schlake) (wcolburnnmt.edu)
Date: Mon Feb 18 2002 - 18:09:59 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Checkpoint bounced my mail because I'm not a checkpoint customer, so I
    contacted customer advocacy and resent it to a different address (this
    message is copied to her as well). I was told that the issue would be
    propogated to an appropriate person.

    Please drop the old message and continue to hold this message until
    Checkpoint responds.

    I have a few updates to this issue that I have learned since I crafted
    the original message.

    I only need to give the "CONNECT" line, and nothing else. After the
    second newline there is a pause and then the TCP stream is open. I seem
    to be able to open any port on any machine I want *except* port 80. I
    was able to telnet in to UNIX login with the firewall appearing as the
    remote host. The initial machine I use (inside the firewall) does not
    need to actually exist, I merely have to attempt to connect to an IP
    address "inside" on port 80.

    This whole give anyone outside a firewall the ability to masquerade on
    any TCP service (except WWW) as a machine inside the domain of the
    firewall. As far as I can tell there are no logs on this, and it is
    hard to detect on the firewall. I found it by doing a tcpdump of all
    packets and gradually narrowing down my filters until I was able to
    "catch" an entire transaction.

    ----- Forwarded message from "William D. Colburn (aka Schlake)" <wcolburnnmt.edu> -----

    Step one: telnet to a machine behind the checkpoint firewall on port 80

    Step two: Type the following:
    >CONNECT mailserver.somecompany.com:25 / HTTP/1.0
    >User-Agent: eeep
    >Cache-Control: private,no-cache
    >Pragma: no-cache
    >

    Step three: wait a moment for your SMTP banner to pop up.

    I will attach an actual attack I caputured with tcpdump and ethereal.
    The file is the result of an ethereal "Follow TCP stream".

    I hate the person who did this to me and I hope they die a terrible
    death. 

    --
William Colburn, "Sysprog" <wcolburnnmt.edu>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/     http://www.nmt.edu/~wcolburn

    --AqsLC8rIMeq19msA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=checkpoint