Re: sockd loopback

From: Jordan Ritter (jpr5at_private)
Date: Thu Jul 08 1999 - 06:38:31 PDT

Next message: mtremblayat_private: "Re: L0pht 'Domino' Vulnerability is alive and well"

Previous message: Nick_: "Re: BUGTRAQ:// Re: PGP 6.5.1 has been released"
Maybe in reply to: riegerat_private: "sockd loopback"
Next in thread: Wei Lu: "Re: sockd loopback"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 8 Jul 1999 riegerat_private wrote:

> This allows for three typical exploit scenarios:
> 1) The client can circumvent IP filters that protect the firewall's
>    services on the network interfaces.
> 2) The client can reach TCP services that are listening only on the
>    loopback interface.
> 3) The client can circumvent IP address based authentication, because
>    the accessed service only sees the loopback address with which
>    sockd connected instead of the real client's address.

You've actually missed a fourth, related but not quite the same -- a
scenario where the (socks) proxy itself is listening on all interfaces,
loopback as well as external.  Connect to proxy, authenticate with proxy,
socks_connect to localhost, authenticate, socks_connect, wash rinse
repeat.  In most cases this will result in some form of resource
exhaustion, or as in some cases with Wingate's most recent version of
SOCKS, server death and even OS death (hang or blue screen).

Also, this isn't just limited to loopback; you're actually more likely to
accomplish this form of DoS by reconnecting to the proxy's external IP.
And, even if you block these kinds of "looped" connections, you can easily
bounce between two SOCKS servers to accomplish the same attack.

Of course, for any of the above to be an easily perpetrated attack, the
SOCKS server has to allow AUTH_NONE (method 0x00) authentication.
Unfortunately, by default most SOCKS servers do (although, IIRC Dante is
not one of these).

> But when I used X Windows over a manipulated socks client to connect
> to the socks server on the firewall and having it access port 6000 on
> 127.0.0.1, I succeed to take, e.g., a screendump from the firewall
> display.

Oh, that's neat.

> I did not test SOCKS 5; I only suppose that this very problem still
> exists.

Yes, this is an issue concerning improper/incomplete access rules, not
about SOCKS4.  Certainly SOCKS5 could be used in this scenario, as well as
pretty much any other proxy software.

There is no immediately obvious, logical reason to allow connections from
the server to the server.  Therefore, a properly configured SOCKS server
(and really, any proxy in general) should block any connection request
whose destination is an IP owned by the proxy -- loopback, and all
external interfaces.

--jordan

Next message: mtremblayat_private: "Re: L0pht 'Domino' Vulnerability is alive and well"
Previous message: Nick_: "Re: BUGTRAQ:// Re: PGP 6.5.1 has been released"
Maybe in reply to: riegerat_private: "sockd loopback"
Next in thread: Wei Lu: "Re: sockd loopback"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:51 PDT