Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Proxy server object cache poisoning?

From: "Brvenik, Jason" <Jason.Brvenik () USDOJ GOV>
Date: Mon, 2 Oct 2000 10:20:05 -0400
Actually, there would be much easier ways once on the proxy to do bad things and some not so easy but fully possible.

Some of them off the top of my head.

1) Local DNS cache poisoning.
2) Redirect of specific downloads. No cache involved.
    IE: all .exe turns into trojans.
3) Malicious code injection for all/select pages.
    Imagine an IE implementation at a company that has the local domain as fully
    trusted and allows unsigned ActiveX or applets to execute.
4) Cookie theft.
.....



-----Original Message-----
From: Abe Getchell [mailto:agetchel () KDE STATE KY US]
Sent: Friday, September 29, 2000 2:49 PM
To: INCIDENTS () SECURITYFOCUS COM@inetgw2
Subject: Proxy server object cache poisoning?


Hey all,
      I was wondering if anybody has seen this form of attack in their
environment?  Proxy object cache poisoning is the act of
replacing an object
that has been cached by a proxy server with a compromised copy of that
object (kind of like DNS cache poisoning where
www.metallica.com points too
Napster's site for some reason <g>).  For example, a hacker
breaks into a
proxy server for a large organization.  (S)He has access for
a week when the
next servicepack is released for Windows 2000.  (S)He
replaces the cached
file on the proxy server with a compromised version that
includes a trojan.
Every admin who then downloads the servicepack from that
point on gets a
compromised copy and the trojan runs rampant in the organization.
      This can be a problem on a proxy server that stores
their files as
renamed URL's on the hard drive much like Microsoft Proxy
Server 2.0.  All
one has to do is find the file out of a bunch of directories (the
'\urlcache' directory in Microsoft Proxy Server 2.0) and
replace it with
whatever they like.  Fortunately, this problem has been
resolved by MS in
ISA, as all cached data is stored in a database format.  Novell's
BorderManager does the same if I remember correctly.
      So has anybody seen this happen?

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel () kde state ky us
Web     http://www.kde.state.ky.us/
Previous By Date Next
Previous By Thread Next

Current thread: