Security Incidents mailing list archives
Proxy server object cache poisoning?
From: Abe Getchell <agetchel () KDE STATE KY US>
Date: Fri, 29 Sep 2000 14:49:28 -0400
Hey all, I was wondering if anybody has seen this form of attack in their environment? Proxy object cache poisoning is the act of replacing an object that has been cached by a proxy server with a compromised copy of that object (kind of like DNS cache poisoning where www.metallica.com points too Napster's site for some reason <g>). For example, a hacker breaks into a proxy server for a large organization. (S)He has access for a week when the next servicepack is released for Windows 2000. (S)He replaces the cached file on the proxy server with a compromised version that includes a trojan. Every admin who then downloads the servicepack from that point on gets a compromised copy and the trojan runs rampant in the organization. This can be a problem on a proxy server that stores their files as renamed URL's on the hard drive much like Microsoft Proxy Server 2.0. All one has to do is find the file out of a bunch of directories (the '\urlcache' directory in Microsoft Proxy Server 2.0) and replace it with whatever they like. Fortunately, this problem has been resolved by MS in ISA, as all cached data is stored in a database format. Novell's BorderManager does the same if I remember correctly. So has anybody seen this happen? Thanks, Abe Abe L. Getchell - Security Engineer Division of System Support Services Kentucky Department of Education Voice 502-564-2020x225 E-mail agetchel () kde state ky us Web http://www.kde.state.ky.us/
Current thread:
- Proxy server object cache poisoning? Abe Getchell (Sep 30)
- <Possible follow-ups>
- Re: Proxy server object cache poisoning? Brvenik, Jason (Oct 02)