Date: Mon, 20 Jan 2003 10:04:53 +0100
From: Volker Tanger <volker.tanger@discon.de>
To: bugtraq@securityfocus.com
Subject: Astaro Security Linux Firewall - HTTP Proxy vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings!
A quite well known (i.e. ancient) type of proxy vulnerability was
found in the https proxy of Astaro Security Linux firewall (which is
a chrooted yet plain squid btw.) This general problem has been known
to be an issue with nearly all HTTP proxies for ages (e.g.
http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14).
The vulnerability can be exploited using the CONNECT method to
connect to a different server, e.g. an internal mailserver as port
usage is completely unrestricted by the Astaro proxy.
Example:
you = 6.6.6.666
Astaro = 1.1.1.1 (http proxy at port 8080)
Internal Mailserver = 2.2.2.2
connect with "telnet 1.1.1.1 8080" to Astaro proxy and enter
CONNECT 2.2.2.2:25 / HTTP/1.0
response: mail server banner - and running SMTP session e.g.
to send SPAM from.
You can connect to any TCP port on any machine the proxy can connect
to. Telnet, SMTP, POP, etc.
Solution:
Install patch 3.215 - there you can restrict the ports you allow
access to. I'd suggest ports 21 70 80 443 563 210 1025-65535 which
stand for FTP, Gopher, HTTP, HTTPS, HTTPS(seldom), WAIS and
nonprivileged services (e.g. passive FTP)
Volker Tanger
IT-Security Consulting
- --
discon gmbh
Wrangelstraъe 100
D-10997 Berlin
fon +49 30 6104-3307
fax +49 30 6104-3461
volker.tanger@discon.de
http://www.discon.de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.5
iD8DBQE+K7um0uordLlMxo4RAuP2AJwKDWUC0ruCMgr4lsmQMwrr2aZOXQCeOHdN
LhhcvkURae1erxD3tN59SlQ=
=arTl
-----END PGP SIGNATURE-----
