It may be possible to violate all firewall rules if certain conditions are met when Gauntlet Firewall 5.0 is installed on the BSDI platform with a specific configuration. The following things need to happen in the order listed below for Gauntlet to be exploitable: 1) Install BSDI 3.1 2) Install Gauntlet 5.0 3) Install BSDI patch M310-049 4) Install Gauntlet 5.0 kernel patch level 2 5) Remove any proxy settings on client machine. 6) Set the default route on the client machine and attempt to connect to any host through a normal tcp connection. This problem surfaces when connections are made through any adaptive proxy, "old" proxy or no proxy at all. In order to exploit this, a route will need to be specified since NAT will not occur when data is sent through the affected firewall. None of the connections that ignore the rules are logged in /var/log/messages. Keith Young describes how to replicate the problem (this is taken directly from his bugtraq post): 1) Install BSDI 3.1, March...
It may be possible to violate all firewall rules if certain conditions are met when Gauntlet Firewall 5.0 is installed on the BSDI platform with a specific configuration. The following things need to happen in the order listed below for Gauntlet to be exploitable: 1) Install BSDI 3.1 2) Install Gauntlet 5.0 3) Install BSDI patch M310-049 4) Install Gauntlet 5.0 kernel patch level 2 5) Remove any proxy settings on client machine. 6) Set the default route on the client machine and attempt to connect to any host through a normal tcp connection. This problem surfaces when connections are made through any adaptive proxy, "old" proxy or no proxy at all. In order to exploit this, a route will need to be specified since NAT will not occur when data is sent through the affected firewall. None of the connections that ignore the rules are logged in /var/log/messages. Keith Young describes how to replicate the problem (this is taken directly from his bugtraq post): 1) Install BSDI 3.1, March 1998. Use automatic install, however you may install minimal packages if you wish. 2) Mount the Gauntlet 5.0 CD-ROM. Execute /cdrom/fwinstall 3) Install Gauntlet 5.0. 4) Reboot after installation. 5) Login as root. 6) Enter "Fast GUI Setup". Fill in appropriate Interface settings for external and internal interfaces. If necessary, configure ESPM hosts, DNS settings, and admin users. 7) Quit gauntlet-admin, save changes, and rebuild. 8) After proxies have reconfigured, reboot machine. 9) Since M310-049 is required for Gauntlet kernel patch install, and M310-046 is required for M310-049 installation, download both from ftp://ftp.bsdi.com/bsdi/patches/patches-3.1/ File info: M310-046 1194 Kb Wed Oct 14 00:00:00 1998 M310-049 116 Kb Wed Dec 16 00:00:00 1998 Both patches are considered "OK" by the Gauntlet support site: http://www.tis.com/support/bsd31.html 10) Bring machine to single-user mode by executing "kill -term 1". 11) Execute "perl5 M310-046 apply" to install BSDI libc patch. 12) Execute "perl5 M310-049 apply" to install IP DoS fix. 13) Execute "cd /sys/compile/GAUNTLET-V50/". 14) Build new kernel as required by M310-049 IP DoS kernel fix. # make clean # make depend # make 15) After kernel is rebuilt, reboot machine. 16) Download Gauntlet 5.0 kernel and cluster patch: File info: cluster.BSDI.patch 12623 Kb Wed Sep 01 19:33:00 1999 kernel.BSDI.patch 414 Kb Wed Aug 04 17:54:00 1999 17) As noted in patch install directions, execute the following: # sh ./cluster.BSDI.patch # sh ./kernel.BSDI.patch # cd kernel.BSDI.patch # sh ./apply # cd ../cluster.BSDI.patch # sh ./apply 18) After patches are installed, reboot machine. 19) Install ESPM-GUI on client machine. Start ESPM-GUI. Add client machine to trusted network group. Apply changes. 20) Start web browser on client machine. Set web proxy setting to internal interface of firewall. Attempt to connect to external web server. Access is allowed. *This is correct.* 20) Remove http-gw from trusted network services. Apply changes. Attempt to connect to external web server. Access is denied. *This is correct.* ==Problem starts here== 21) Remove proxy setting in web browser on client machine. Set gateway/default route on client machine to internal interface of firewall. Set gateway/default route on server machine to external interface of firewall. 22) Clear web browser cache. Attempt to connect to external web server. Web page is downloaded with no logs in Gauntlet. 23) Start ESPM-GUI. Remove all services from trusted networks services. Remove client machine from ESPM network group. Apply changes. 24) FTP from client machine to server. FTP connection is made though no rule exists. 25) Start telnet server on client machine. Telnet from server to client. Telnet connection is made.
