[8709] in bugtraq

home help back first fref pref prev next nref lref last post

Attacking "protected" machines through MS-Proxy Server 2.0.

daemon@ATHENA.MIT.EDU (mnemonix)
Wed Dec 16 12:13:26 1998

Date: 	Wed, 16 Dec 1998 12:00:58 -0000
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: mnemonix <mnemonix@GLOBALNET.CO.UK>
X-To:         ntbugtraq@listserv.ntbugtraq.com
To: BUGTRAQ@NETSPACE.ORG

This is a multi-part message in MIME format.

------=_NextPart_000_005D_01BE28EB.BDFE0740
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

This advisory is for those using MS Proxy 2.0 with packet filtering and =
use the same machine to Publish Web pages, or those that don't enable =
packet filtering. You network is at risk of attack unless you also =
employ other security measures.

In certain and quite common configurations of MS Proxy Server 2.0 it is =
possible to attack the machines it is there to protect. This can be =
acheived in a number of ways, more easily if access can be gained to the =
same IP subnet as the "Dirty" Internet Interface. But first some key =
facts on Proxy.

When MS Proxy is installed on a machine with two interface cards the =
Admin specifies the IP addresses of the machines on the local / =
corporate network. This information is stored in a file called the LAT =
or Local Address Table. Doing this lets Proxy know which interface is =
the clean client side and which is the dirty Internet side. The IP =
address of the dirty interface should not be listed in the LAT.=20

IP forwarding should be disabled.

Once installed MS - Proxy disables connections to TCP port 80 (assuming =
this is the port Proxy is listening on) on the dirty interface*. Only =
the clean interface will accept connections and service requests on port =
80 - meaning that only clients on clean side should be able to use the =
Proxy services.

It is possible, however, to make a connection to port 80 on the clean =
interface from the dirty side. To see this happening set up a host on =
the same IP subnet as the dirty interface and then set your default =
gateway to the IP address of the dirty interface on the Proxy - then =
telnet to port 80 on the IP address of the clean interface. You should =
be connected. Then issue the request:

"GET http://some.protected.machine.on.the.clean.side:port/ =
HTTP/1.0<enter><enter>"

Proxy will then establish a TCP connection to the protected machine on =
the port you have specified. It is easier to see this if the machine is =
an Internal Web Server. One would expect with IP forwarding disabled =
that this should not happen - ie the passsing of IP information from the =
dirty interface to the clean interface. This is the "hole" but this is =
not a bug but rather a feature. This happens due to the IP routing =
algorithm: If a multi-homed computer, not configured as a router, =
receives a packet on an interface it will check all of its local IP =
addresses and if a match is found - whether the IP address is bound to =
another interface card or not - the information is passed across. This =
should be acheivable also in an attack involving source routing, =
specifying the IP address of the dirty interface as the last "hop" to =
the target. Once on the clean side of the Proxy server it is then =
possible using the Proxy to redirect attacks into the "protected" LAN.

What can be done to prevent this?

First an foremost enabling packet filtering on the dirty interface card =
can prevent this. Don't allow inbound traffic on port 80. If, however, =
you also use the underlying IIS to publish Web pages to the Internet ( =
that is from the Web Proxy Properties -> Publishing -> Enable Publishing =
-> Send to local Server) then this is not an option and you are at risk.

Secondly, enable access control - this won't stop this from happening =
but unless the attacker has a USER ID and password there is not much =
they can do.

Thirdly, it seems that flushing the static routing table on the machine =
(c:\>route -f) also resolves the problem.

This issue has been reported to Microsoft and they have confirmed this =
to be a problem in some of the aforementioned scenarios but not others. =
I have demonstrated this a number of times now to Diligence's clients in =
all of the above scenarios. To be on the safe side check if you are =
susceptible. It is my opinion that one possible programatic solution to =
this, that MS could produce, would be to have the Proxy server, at the =
application layer in the OSI model,  check the IP address of the =
requesting machine and if this address is not in the LAT then Proxy =
should simply discard the request.

David Litchfield

More information can be found at http://www.infowar.co.uk/mnemonix/

* Proxy does not 100% disable connections to port 80 on the dirty =
interface. It is still possible to create a TCP virtual connection but =
nothing useful can be done with it - no information is returned.


------=_NextPart_000_005D_01BE28EB.BDFE0740
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>

<META content=3Dtext/html;charset=3Diso-8859-1 =
http-equiv=3DContent-Type>
<META content=3D'"MSHTML 4.72.2106.6"' name=3DGENERATOR>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3D"Times New Roman" size=3D2><B>
<P>This advisory is for those using MS Proxy 2.0 with packet filtering =
and use=20
the same machine to Publish Web pages, or those that don't enable packet =

filtering. You network is at risk of attack unless you also employ other =

security measures.</P></B>
<P>In certain and quite common configurations of MS Proxy Server 2.0 it =
is=20
possible to attack the machines it is there to protect. This can be =
acheived in=20
a number of ways, more easily if access can be gained to the same IP =
subnet as=20
the &quot;Dirty&quot; Internet Interface. But first some key facts on =
Proxy.</P>
<P>When MS Proxy is installed on a machine with two interface cards the =
Admin=20
specifies the IP addresses of the machines on the local / corporate =
network.=20
This information is stored in a file called the LAT or Local Address =
Table.=20
Doing this lets Proxy know which interface is the clean client side and =
which is=20
the dirty Internet side. <B>The IP address of the dirty interface should =
not be=20
listed in the LAT. </P></B><B>
<P>IP forwarding should be disabled.</P></B>
<P>Once installed MS - Proxy disables connections to TCP port 80 =
(assuming this=20
is the port Proxy is listening on) on the dirty interface*. Only the =
clean=20
interface will accept connections and service requests on port 80 - =
meaning that=20
only clients on clean side should be able to use the Proxy services.</P>
<P>It is possible, however, to make a connection to port 80 on the clean =

interface from the dirty side. To see this happening set up a host on =
the same=20
IP subnet as the dirty interface and then set your default gateway to =
the IP=20
address of the dirty interface on the Proxy - then telnet to port 80 on =
the IP=20
address of the clean interface. You should be connected. Then issue the=20
request:</P><B>
<P>&quot;GET http://some.protected.machine.on.the.clean.side:port/=20
HTTP/1.0&lt;enter&gt;&lt;enter&gt;&quot;</P></B>
<P>Proxy will then establish a TCP connection to the protected machine =
on the=20
port you have specified. It is easier to see this if the machine is an =
Internal=20
Web Server. One would expect with IP forwarding disabled that this =
should not=20
happen - ie the passsing of IP information from the dirty interface to =
the clean=20
interface. This is the &quot;hole&quot; but this is not a bug but rather =
a=20
feature. This happens due to the IP routing algorithm: If a multi-homed=20
computer, not configured as a router, receives a packet on an interface =
it will=20
check all of its local IP addresses and if a match is found - whether =
the IP=20
address is bound to another interface card or not - the information is =
passed=20
across. This should be acheivable also in an attack involving source =
routing,=20
specifying the IP address of the dirty interface as the last =
&quot;hop&quot; to=20
the target. Once on the clean side of the Proxy server it is then =
possible using=20
the Proxy to redirect attacks into the &quot;protected&quot; LAN.</P>
<P>What can be done to prevent this?</P>
<P>First an foremost enabling packet filtering on the dirty interface =
card can=20
prevent this. Don't allow inbound traffic on port 80. <B>If, however, =
you also=20
use the underlying IIS to publish Web pages to the Internet ( that is =
from the=20
Web Proxy Properties -&gt; Publishing -&gt; Enable Publishing -&gt; Send =
to=20
local Server) then this is not an option and you are at risk.</P></B>
<P>Secondly, enable access control - this won't stop this from happening =
but=20
unless the attacker has a USER ID and password there is not much they =
can=20
do.</P>
<P>Thirdly, it seems that flushing the static routing table on the =
machine=20
(c:\&gt;route -f) also resolves the problem.</P>
<P>This issue has been reported to Microsoft and they have confirmed =
this to be=20
a problem in some of the aforementioned scenarios but not others. I have =

demonstrated this a number of times now to Diligence's clients in all of =
the=20
above scenarios. <STRONG>To be on the safe side check if you are=20
susceptible.</STRONG> It is my opinion that one possible programatic =
solution to=20
this, that MS could produce, would be to have the Proxy server, at the=20
application layer in the OSI model,&nbsp; check the IP address of the =
requesting=20
machine and if this address is not in the LAT then Proxy should simply =
discard=20
the request.</P>
<P>David Litchfield</P>
<P>More information can be found at <A=20
href=3D"http://www.infowar.co.uk/mnemonix/">http://www.infowar.co.uk/mnem=
onix/</A></P>
<P>* Proxy does not 100% disable connections to port 80 on the dirty =
interface.=20
It is still possible to create a TCP virtual connection but nothing =
useful can=20
be done with it - no information is =
returned.</P></FONT></DIV></BODY></HTML>

------=_NextPart_000_005D_01BE28EB.BDFE0740--

home help back first fref pref prev next nref lref last post