Nmap Development mailing list archives

Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass"

From: Paulino Calderon <paulino () calderonpale com>
Date: Mon, 10 Oct 2011 14:34:09 -0700

Hi,

I don't have access to a vulnerable installation but I wanted to share acouple of things I noticed:


* portrule = shortport.service("http")

It should be portrule = shortport.http if you want it to run againsthttps servers as well.


* If the pipeline is empty, it will crash. Add a return after the check:

if not bypass_request then

stdnse.print_debug(1, "%s : got no answers from pipelined queries",SCRIPT_NAME)

  return
  end

Otherwise we get a crash with the trace:

http-reverseproxy-bypass.nse:69: attempt to get length of local'bypass_request' (a nil value)

I think this is a good idea for a NSE script. I'll setup a vulnerableinstallation and report results later.



On 10/10/2011 10:54 AM, Gutek wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

A few days ago Contextis (1) has published a flaw against some Apache
webservers.
It has been described as "a new type of security vulnerability which can
allow full internal system access from the internet from an
unauthenticated perspective. This technique exploits insecurely
configured reverse web proxies to gain access to internal/DMZ systems.

Apache web server is affected by this issue when running in reverse
proxy mode"

Attached is a NSE script to reveal this vulnerability. Unfortunately, I
don't have a vulnerable target at hand, hence I've tested against a
bunch of -iR.
I've found a very few vulnerable ones, and that's not enough to be
confident with this script.
Of course I can't give them here, as I don't want to publicly expose
them: that's why I'm calling for testers (2).

The output looks as this:
- -- PORT   STATE SERVICE REASON
- -- 80/tcp open  http    syn-ack
- -- |_http-reverseproxy-bypass: VULNERABLE to CVE-2011-3368, allows
requests to external websites

Thanks !

A.G.

(1)  http://www.contextis.com/research/blog/reverseproxybypass/
(2) ...but I'd be happy to give an example privately :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6TMToACgkQ3aDTTO0ha7gbZQCfS16ZmZEiDPKslU6VzMFH2v+u
Cd8An0OWh3p718AlMshj9T06tFP4+U2T
=UABp
-----END PGP SIGNATURE-----


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



--
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: http://www.twitter.com/paulinocaIderon

Attachment: http-reverseproxy-bypass.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 10)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Paulino Calderon (Oct 10)
  - Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 11)
  - Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" David Fifield (Oct 12)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Michael Meyer (Oct 11)
  - Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 11)
    - Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Michael Meyer (Oct 12)
    - Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 12)
    - Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Michael Meyer (Oct 12)
    - Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Patrik Karlsson (Nov 05)
    - Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Patrik Karlsson (Nov 11)
    - Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Patrik Karlsson (Nov 17)