BugTraq
Astaro Security Linux Firewall - HTTP Proxy vulnerability Jan 20 2003 09:04AM
Volker Tanger (volker tanger discon de)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings!

A quite well known (i.e. ancient) type of proxy vulnerability was
found in the https proxy of Astaro Security Linux firewall (which is
a chrooted yet plain squid btw.) This general problem has been known
to be an issue with nearly all HTTP proxies for ages (e.g.
http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14).

The vulnerability can be exploited using the CONNECT method to
connect to a different server, e.g. an internal mailserver as port
usage is completely unrestricted by the Astaro proxy.

Example:
you = 6.6.6.666
Astaro = 1.1.1.1 (http proxy at port 8080)
Internal Mailserver = 2.2.2.2

connect with "telnet 1.1.1.1 8080" to Astaro proxy and enter
CONNECT 2.2.2.2:25 / HTTP/1.0

response: mail server banner - and running SMTP session e.g.
to send SPAM from.

You can connect to any TCP port on any machine the proxy can connect
to. Telnet, SMTP, POP, etc.

Solution:

Install patch 3.215 - there you can restrict the ports you allow
access to. I'd suggest ports 21 70 80 443 563 210 1025-65535 which
stand for FTP, Gopher, HTTP, HTTPS, HTTPS(seldom), WAIS and
nonprivileged services (e.g. passive FTP)

Volker Tanger
IT-Security Consulting

- --
discon gmbh
Wrangelstraße 100
D-10997 Berlin

fon +49 30 6104-3307
fax +49 30 6104-3461

volker.tanger (at) discon (dot) de [email concealed]
http://www.discon.de/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.5

iD8DBQE+K7um0uordLlMxo4RAuP2AJwKDWUC0ruCMgr4lsmQMwrr2aZOXQCeOHdN
LhhcvkURae1erxD3tN59SlQ=
=arTl
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus