BugTraq
RE: Astaro Security Linux Firewall - HTTP Proxy vulnerability Feb 10 2003 08:39PM
Markus Hennig (mhennig astaro com)
Bugtraq: Astaro Security Linux Firewall - HTTP Proxy vulnerability

Vulnerability description:
-------------------------
The HTTP proxy can be used to connect to any TCP port
and not only to certain 'safe' ports.

The vulnerability only takes effect for clients that have
allowed access to the proxy.

In standard mode, only host defined in the allowed networks list of
the HTTP proxy has been able to use this flaw. In user authentication
mode, only host defined in the allowed networks list and after a
correct user authentication has been able to use this flaw.
In transparent mode, hosts were not able to use this flaw.

Per default the HTTP proxy is disabled and the allowed networks list is empty.

At any given time there was no vulnerability of system
itself, neither a remote exploit giving unprivileged users
access to the system.

Impact:
-------
The allowed users have been able to connect to any tcp port in the internet
and therefore bypass the security policy defined in the packet filter.

Advice:
-------
Please make sure that only trusted/internal networks are
selected in the allowed networks list of the HTTP proxy.
This prevents abuse of the proxy from the outside/internet.

Fix Description:
----------------
To fix this issue a new Configuration option has been added
to HTTP proxy configuration menu, giving you the ability to
configure the services which are allowed to use through the
HTTP proxy .

Per default we added the following services:
- HTTP
- HTTPS
- LDAP
- FTP_CONTROL
- SQUID

Vulnerable Versions:
--------------------
Astaro Security Linux 2.0 prior version 2.031
Astaro Security Linux 3.2 prior version 3.214

Bugfixed in version:
--------------------
Up2Date Package 2.032 (released Jan, 21st, 2003)
Up2Date Package 3.215 (released Jan, 17th, 2003)

Please update your system to latest version available.

Astaro Security Team

Visit Astaro at:
- Infosecurity Italia 2003, Milano, Feb. 12 - 14, 2003
- Infosecurity Belgium 2003, Brussels, Feb. 26 - 27, 2003
- NetworkWorld Technical Seminar "VPN", Offenbach, Feb. 26.-27. 2003
- CeBIT 2003, Hannover, Mar. 12.-19, 2003
- Infosecurity Europe, London, Apr. 29 - May 1, 2003

> -----Original Message-----
> From: Volker Tanger [mailto:volker.tanger (at) discon (dot) de [email concealed]]
> Sent: Monday, January 20, 2003 10:05 AM
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: Astaro Security Linux Firewall - HTTP Proxy vulnerability
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Greetings!
>
> A quite well known (i.e. ancient) type of proxy vulnerability was
> found in the https proxy of Astaro Security Linux firewall (which is
> a chrooted yet plain squid btw.) This general problem has been known
> to be an issue with nearly all HTTP proxies for ages (e.g.
> http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14).
>
> The vulnerability can be exploited using the CONNECT method to
> connect to a different server, e.g. an internal mailserver as port
> usage is completely unrestricted by the Astaro proxy.
>
> Example:
> you = 6.6.6.666
> Astaro = 1.1.1.1 (http proxy at port 8080)
> Internal Mailserver = 2.2.2.2
>
> connect with "telnet 1.1.1.1 8080" to Astaro proxy and enter
> CONNECT 2.2.2.2:25 / HTTP/1.0
>
> response: mail server banner - and running SMTP session e.g.
> to send SPAM from.
>
> You can connect to any TCP port on any machine the proxy can connect
> to. Telnet, SMTP, POP, etc.
>
>
> Solution:
>
> Install patch 3.215 - there you can restrict the ports you allow
> access to. I'd suggest ports 21 70 80 443 563 210 1025-65535 which
> stand for FTP, Gopher, HTTP, HTTPS, HTTPS(seldom), WAIS and
> nonprivileged services (e.g. passive FTP)
>
>
> Volker Tanger
> IT-Security Consulting
>
> - --
> discon gmbh
> Wrangelstraße 100
> D-10997 Berlin
>
> fon +49 30 6104-3307
> fax +49 30 6104-3461
>
> volker.tanger (at) discon (dot) de [email concealed]
> http://www.discon.de/
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.5
>
> iD8DBQE+K7um0uordLlMxo4RAuP2AJwKDWUC0ruCMgr4lsmQMwrr2aZOXQCeOHdN
> LhhcvkURae1erxD3tN59SlQ=
> =arTl
> -----END PGP SIGNATURE-----
>
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus