Bugtraq mailing list archives
RE: Astaro Security Linux Firewall - HTTP Proxy vulnerability
From: "Markus Hennig" <mhennig () astaro com>
Date: Mon, 10 Feb 2003 21:39:46 +0100
Bugtraq: Astaro Security Linux Firewall - HTTP Proxy vulnerability Vulnerability description: ------------------------- The HTTP proxy can be used to connect to any TCP port and not only to certain 'safe' ports. The vulnerability only takes effect for clients that have allowed access to the proxy. In standard mode, only host defined in the allowed networks list of the HTTP proxy has been able to use this flaw. In user authentication mode, only host defined in the allowed networks list and after a correct user authentication has been able to use this flaw. In transparent mode, hosts were not able to use this flaw. Per default the HTTP proxy is disabled and the allowed networks list is empty. At any given time there was no vulnerability of system itself, neither a remote exploit giving unprivileged users access to the system. Impact: ------- The allowed users have been able to connect to any tcp port in the internet and therefore bypass the security policy defined in the packet filter. Advice: ------- Please make sure that only trusted/internal networks are selected in the allowed networks list of the HTTP proxy. This prevents abuse of the proxy from the outside/internet. Fix Description: ---------------- To fix this issue a new Configuration option has been added to HTTP proxy configuration menu, giving you the ability to configure the services which are allowed to use through the HTTP proxy . Per default we added the following services: - HTTP - HTTPS - LDAP - FTP_CONTROL - SQUID Vulnerable Versions: -------------------- Astaro Security Linux 2.0 prior version 2.031 Astaro Security Linux 3.2 prior version 3.214 Bugfixed in version: -------------------- Up2Date Package 2.032 (released Jan, 21st, 2003) Up2Date Package 3.215 (released Jan, 17th, 2003) Please update your system to latest version available. Astaro Security Team Visit Astaro at: - Infosecurity Italia 2003, Milano, Feb. 12 - 14, 2003 - Infosecurity Belgium 2003, Brussels, Feb. 26 - 27, 2003 - NetworkWorld Technical Seminar "VPN", Offenbach, Feb. 26.-27. 2003 - CeBIT 2003, Hannover, Mar. 12.-19, 2003 - Infosecurity Europe, London, Apr. 29 - May 1, 2003
-----Original Message----- From: Volker Tanger [mailto:volker.tanger () discon de] Sent: Monday, January 20, 2003 10:05 AM To: bugtraq () securityfocus com Subject: Astaro Security Linux Firewall - HTTP Proxy vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings! A quite well known (i.e. ancient) type of proxy vulnerability was found in the https proxy of Astaro Security Linux firewall (which is a chrooted yet plain squid btw.) This general problem has been known to be an issue with nearly all HTTP proxies for ages (e.g. http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14). The vulnerability can be exploited using the CONNECT method to connect to a different server, e.g. an internal mailserver as port usage is completely unrestricted by the Astaro proxy. Example: you = 6.6.6.666 Astaro = 1.1.1.1 (http proxy at port 8080) Internal Mailserver = 2.2.2.2 connect with "telnet 1.1.1.1 8080" to Astaro proxy and enter CONNECT 2.2.2.2:25 / HTTP/1.0 response: mail server banner - and running SMTP session e.g. to send SPAM from. You can connect to any TCP port on any machine the proxy can connect to. Telnet, SMTP, POP, etc. Solution: Install patch 3.215 - there you can restrict the ports you allow access to. I'd suggest ports 21 70 80 443 563 210 1025-65535 which stand for FTP, Gopher, HTTP, HTTPS, HTTPS(seldom), WAIS and nonprivileged services (e.g. passive FTP) Volker Tanger IT-Security Consulting - -- discon gmbh WrangelstraĆe 100 D-10997 Berlin fon +49 30 6104-3307 fax +49 30 6104-3461 volker.tanger () discon de http://www.discon.de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.5 iD8DBQE+K7um0uordLlMxo4RAuP2AJwKDWUC0ruCMgr4lsmQMwrr2aZOXQCeOHdN LhhcvkURae1erxD3tN59SlQ= =arTl -----END PGP SIGNATURE-----
Current thread:
- RE: Astaro Security Linux Firewall - HTTP Proxy vulnerability Markus Hennig (Feb 10)