-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings! A quite well known (i.e. ancient) type of proxy vulnerability was found in the https proxy of Astaro Security Linux firewall (which is a chrooted yet plain squid btw.) This general problem has been known to be an issue with nearly all HTTP proxies for ages (e.g. http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14). The vulnerability can be exploited using the CONNECT method to connect to a different server, e.g. an internal mailserver as port usage is completely unrestricted by the Astaro proxy. Example: you = 6.6.6.666 Astaro = 1.1.1.1 (http proxy at port 8080) Internal Mailserver = 2.2.2.2 connect with "telnet 1.1.1.1 8080" to Astaro proxy and enter CONNECT 2.2.2.2:25 / HTTP/1.0 response: mail server banner - and running SMTP session e.g. to send SPAM from. You can connect to any TCP port on any machine the proxy can connect to. Telnet, SMTP, POP, etc. Solution: Install patch 3.215 - there you can restrict the ports you allow access to. I'd suggest ports 21 70 80 443 563 210 1025-65535 which stand for FTP, Gopher, HTTP, HTTPS, HTTPS(seldom), WAIS and nonprivileged services (e.g. passive FTP) Volker Tanger IT-Security Consulting - -- discon gmbh Wrangelstraße 100 D-10997 Berlin fon +49 30 6104-3307 fax +49 30 6104-3461 volker.tangerat_private http://www.discon.de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.5 iD8DBQE+K7um0uordLlMxo4RAuP2AJwKDWUC0ruCMgr4lsmQMwrr2aZOXQCeOHdN LhhcvkURae1erxD3tN59SlQ= =arTl -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 14:48:07 PST