Re: Proxy server object cache poisoning?

["Panayiotis A. Thermos" <pthermos () TELCORDIA COM>]

Based on the scenario, once the proxy is compromised everything is possible.
 The attacker can follow, easier alternate channels to perform malicious
activities.

 An alternate scenario would be for an attacker to discover a proxy that has
been misconfigured
(or not configured to prevent) to allow non-priviledged users to modify, delete
or overwite cached files.
In this case, interactive access to the host is not necessary as long as  the
misconfiguration,
allows the attacker to replace a cached file.

I have exploited a similar scenario with a print server that caches files to be
printed. The print server
maintained a ditrectory structure, rather than a database structure, to cache
print requests in which
the configuration alowd file listing, read and write access by non-priviledged
users.

PT






"Brvenik, Jason" <Jason.Brvenik () USDOJ GOV> on 10/02/2000 10:20:05 AM

Please respond to "Brvenik, Jason" <Jason.Brvenik () USDOJ GOV>

To:   VULN-DEV () SECURITYFOCUS COM
cc:    (bcc: Panayiotis A. Thermos/Telcordia)
Subject:  Re: Proxy server object cache poisoning?




Actually, there would be much easier ways once on the proxy to do bad things and
some not so easy but fully possible.

Some of them off the top of my head.

1) Local DNS cache poisoning.
2) Redirect of specific downloads. No cache involved.
    IE: all .exe turns into trojans.
3) Malicious code injection for all/select pages.
    Imagine an IE implementation at a company that has the local domain as fully
    trusted and allows unsigned ActiveX or applets to execute.
4) Cookie theft.
.....


> -----Original Message-----
> From: Abe Getchell [mailto:agetchel () KDE STATE KY US]
> Sent: Friday, September 29, 2000 2:49 PM
> To: INCIDENTS () SECURITYFOCUS COM@inetgw2
> Subject: Proxy server object cache poisoning?
>
>
> Hey all,
>    I was wondering if anybody has seen this form of attack in their
> environment?  Proxy object cache poisoning is the act of
> replacing an object
> that has been cached by a proxy server with a compromised copy of that
> object (kind of like DNS cache poisoning where
> www.metallica.com points too
> Napster's site for some reason <g>).  For example, a hacker
> breaks into a
> proxy server for a large organization.  (S)He has access for
> a week when the
> next servicepack is released for Windows 2000.  (S)He
> replaces the cached
> file on the proxy server with a compromised version that
> includes a trojan.
> Every admin who then downloads the servicepack from that
> point on gets a
> compromised copy and the trojan runs rampant in the organization.
>    This can be a problem on a proxy server that stores
> their files as
> renamed URL's on the hard drive much like Microsoft Proxy
> Server 2.0.  All
> one has to do is find the file out of a bunch of directories (the
> '\urlcache' directory in Microsoft Proxy Server 2.0) and
> replace it with
> whatever they like.  Fortunately, this problem has been
> resolved by MS in
> ISA, as all cached data is stored in a database format.  Novell's
> BorderManager does the same if I remember correctly.
>    So has anybody seen this happen?
>
> Thanks,
> Abe
>
> Abe L. Getchell - Security Engineer
> Division of System Support Services
> Kentucky Department of Education
> Voice   502-564-2020x225
> E-mail  agetchel () kde state ky us
> Web     http://www.kde.state.ky.us/