Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Spam via proxy

From: Volker Tanger <volker.tanger () discon de>
Date: Mon, 09 Dec 2002 11:10:46 +0100
Greetings!

listuser wrote:
I work at a cable ISP and lots of our customers have open wingate, squid or socks proxies. These are regularly being used by spammers to send their scum. 

The ancient "Proxy vulnerability" as in
http://www.securityfocus.com/bid/4131
This general problem has been known to be an issue with plain HTTP proxies like the Squid for ages (e.g. http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14).
ie if some one can tell me how to replicate this via a telnet session to the relevent port it will be great. 


The vulnerability can be exploited using the CONNECT method to
connect to a different server, e.g. an internal mailserver as
port usage is completely unrestricted by the ISVW proxies V 3.6

Example:
        you = 6.6.6.666
        Trendmicro ISVW = 1.1.1.1  (http proxy at port 80)
        Internal Mailserver = 2.2.2.2

        connect with "telnet 1.1.1.1 80" to ISVW proxy and enter
        followed with two linefeeds:
        CONNECT 2.2.2.2:25 / HTTP/1.0

        response: mail server banner - and running SMTP session e.g.
        to send SPAM from.

You can connect to any TCP port on any machine the proxy
can connect to. Telnet, SMTP, POP, etc. You can see it in the logs you provided as CONNECT (squid), SSL (wingate) methods - all to port 25 (smtp).
How these cases are being handled else where. One problem we have faced is that the actual users are clueless about what is going on. Are people blocking squid and socks ports at the border router?
For squid see above URL. For TrendMicro ISVW see http://online.securityfocus.com/archive/1/302200
Generally we (advise to) put any proxy into a (separate) DMZ which only is accessible via a firewall (the usual 3-leg firewall config) that is blocking all but the identified, needed connections. 

Bye

Volker Tanger
IT-Security Consulting

--
discon gmbh
WrangelstraƟe 100
D-10997 Berlin

fon    +49 30 6104-3307
fax    +49 30 6104-3461

volker.tanger () discon de
http://www.discon.de/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: