Inktomi Traffic-Server XSS: man-in-the-middle XSS !

[Hugo "Vázquez" "Caramés" <overclocking_a_la_abuela () hotmail com>]

Please we would like that credits of this vulnerability go to INFOHACKING 
(Hugo Vázquez Caramés and Toni Cortés Martinez). Actually we work 
at "Secdor R&D". The vulnerabily was found, once again, during a pen-test.

######################################################################
                INKTOMI Traffic-Server XSS 
######################################################################

We have just discovered a bug in a software called "Inktomi Traffic-
Server", this is a proxy cache server used by Large ISPs and Backbone 
Providers to increase speed of web surfing. The software seems to have 
been adquired by WebSense,but there's not too much public info about this. 
We don`t know who is responsabile for this software.  

THE PROBLEM (Tested on Traffic-Server 5.5.1 used by Telefónica in Spain)

A special request by a client passing through the Inktomi Traffic-Server 
causes an error page generated by the proxy. This dinamic error page is 
vulnerable to Cross Site Scriptting... The really important thing is that 
the client making the request IS UNABLE to distinguish what  domain 
generated this code... so the XSS on this proxy makes vulnerable any 
client going trough it. Indirectly any server whose clients come trough 
the Traffic-Server and using cookies to track sessions are "vulnerable".
The Inktommi's Traffic-Server is used at our country (Spain) by 
Telefonica, friendly known as "Timofonica", but also on many other places 
in the world, nowadays more and more providers are using this software. 
Many, many people, is affected by this problem.

--How to reproduce--

With a web client:

1) First you need a client that is going through a Traffic-Server. You can 
check it making an http TRACE request to a server that supports this 
method.If you see a response like this:

HTTP/1.0 200 OK
Date: Wed, 14 May 2003 07:31:13 GMT
Server: XXXXXX
Content-Type: message/http
Age: 1523

TRACE / HTTP/1.0
Client-ip: XXXXXXXXXXXX
X-Forwarded-For: XXXXXXXXXXXX
Connection: keep-alive
Via: HTTP/1.0 proxy[AC1EF246] (Traffic-Server/5.5.1-58900 [uSc ])
Host: XXXXXXXXXXXX

your http traffic is being proxyfied by a Traffic-Server.

Configure this client to use a proxy* (any IP on port 80) on the other 
side of the Traffic-Server.
*(It is not necessary that the proxy exists: the request will be grapped 
by the Trafiic-Server)

2) Make a request like this:

http://<spoofed_domain>:443/</em>&lt;script&gt;alert()&lt;/script&gt;

You will see the script executed on your browser!

Manually:

C:\>nc -v -v <spoofed_domain> 80
<spoofed_domain>: inverse host lookup failed: h_errno 11004: NO_DATA
(UNKNOWN) [<spoofed_domain>] 80 (http) open

GET http://<spoofed_domain>:443/</em>&lt;script&gt;alert()&lt;/script&gt;
<HEAD><TITLE>Access Denied</TITLE></HEAD>
<BODY BGCOLOR="white" FGCOLOR="black"><H1>Access Denied</H1><HR>
<FONT FACE="Helvetica,Arial"><B>
Description: You are not allowed to access the document at 
location "<em>http://<spoofed_domain>:443/</em>&lt;script&gt;alert()
&lt;/script&gt;</em>".</B></FONT>
<HR>
<!-- default "Access Denied" response (403) -->
</BODY>
 sent 61, rcvd 350: NOTSOCK


As you can see the error page is not generated by the final server, 
instead is the Traffic-Server the one who generates this error. The BIG 
problem here is that the client believes the response page generated comes 
from the <spoofed_domain>... this makes posible to exploit this flaw to 
steal cookies of ANY (yes any) domain...
This is like a "man in the middle" attack...a new way of taking advantage 
of XSS... probably more devices working as "transparent" proxys will be 
affected in the future by similar flaws...and exposing clients and servers.


The trick of the exploit is that the socket opened is on port 80 to force 
the proxy to capture the connection, then you have to request an URL to an 
open port other than 80, for example 25. If the port is open on the final 
server, the Traffic-Server will respond with the error page, if the port 
is closed, the connection will time out (so this method can also be used 
to port scan from a Traffic-Server). Now there's the challenge to make it 
work on a server with only port 80 open... Once again it seems that 
there's a trick to bypass this restriction: using port 443. As far we 
could test, for resquests on port 443, the proxy does not check if that 
port is opened on the final target, so the best way to exploit this is 
using the port 443.

A screenshoot of our exploit working against Hotmail will be available at 
http://www.infohacking.com. This can be extented to any domain. E-
commerce/Home-Banking are probably the most affected scenarios.

Regards,

"We would like to dedicate this research to all the people in spain that 
have been affected by those inconvinient devices."
"Nos gustaria dedicar esta investigación a todos aquellos usuarios que se 
han visto afectados por los jodidos proxys de Telefónica"

Hugo Vázquez Caramés & Toni Cortés Martínez 
INFOHACKING RESEARCH 2003
www.infohacking.com
Barcelona (SPAIN)
(We are working at Secdor R&D)