January 24th, 2003, 02:51 AM
Vulnerability: Astaro Security Linux Firewall - HTTP Proxy vulnerability
A quite well known (i.e. ancient) type of proxy vulnerability was found in the https proxy of Astaro Security Linux firewall (which is a chrooted yet plain squid btw.)
This general problem has been known to be an issue with nearly all HTTP proxies for ages (e.g. http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14).
The vulnerability can be exploited using the CONNECT method to connect to a different server, e.g. an internal mailserver as port usage is completely unrestricted by the Astaro proxy.
you = 22.214.171.1246
Astaro = 126.96.36.199 (http proxy at port 8080)
Internal Mailserver = 188.8.131.52
connect with "telnet 184.108.40.206 8080" to Astaro proxy and enter CONNECT 220.127.116.11:25 / HTTP/1.0
response: mail server banner - and running SMTP session e.g. to send SPAM from.
You can connect to any TCP port on any machine the proxy can connect to. Telnet, SMTP, POP, etc.
Install patch 3.215 - there you can restrict the ports you allow access to. I'd suggest ports 21 70 80 443 563 210 1025-65535 which stand for FTP, Gopher, HTTP, HTTPS, HTTPS(seldom), WAIS and nonprivileged services (e.g. passive FTP)
January 24th, 2003, 02:59 AM
Nice info and very good link.
This site has some useful stuff
keepup the good posts
January 24th, 2003, 03:04 AM
How is it that such well known security holes continue to exist? I understand that it is easy for a program to miss such a thing with so many problems to take care of, but with the widespread use of tiger teams and new ways of testing such software, an automated complete tester even, one would think that such problems would be rooted out before a product is released.
Does anyone know -why- this tendency exists? If we can figure that out, perhaps we can help stop this trend, or catch such problems sooner.