Greetings! listuser wrote: > I work at a cable ISP and lots of our customers have open wingate, > squid or socks proxies. These are regularly being used by spammers to > send their scum. The ancient "Proxy vulnerability" as in http://www.securityfocus.com/bid/4131 This general problem has been known to be an issue with plain HTTP proxies like the Squid for ages (e.g. http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14). > ie if some one can tell me how to replicate this via a telnet session > to the relevent port it will be great. The vulnerability can be exploited using the CONNECT method to connect to a different server, e.g. an internal mailserver as port usage is completely unrestricted by the ISVW proxies V 3.6 Example: you = 6.6.6.666 Trendmicro ISVW = 1.1.1.1 (http proxy at port 80) Internal Mailserver = 2.2.2.2 connect with "telnet 1.1.1.1 80" to ISVW proxy and enter followed with two linefeeds: CONNECT 2.2.2.2:25 / HTTP/1.0 response: mail server banner - and running SMTP session e.g. to send SPAM from. You can connect to any TCP port on any machine the proxy can connect to. Telnet, SMTP, POP, etc. You can see it in the logs you provided as CONNECT (squid), SSL (wingate) methods - all to port 25 (smtp). > How these cases are being handled else where. One problem we have > faced is that the actual users are clueless about what is going on. > Are people blocking squid and socks ports at the border router? For squid see above URL. For TrendMicro ISVW see http://online.securityfocus.com/archive/1/302200 Generally we (advise to) put any proxy into a (separate) DMZ which only is accessible via a firewall (the usual 3-leg firewall config) that is blocking all but the identified, needed connections. Bye Volker Tanger IT-Security Consulting -- discon gmbh WrangelstraĆe 100 D-10997 Berlin fon +49 30 6104-3307 fax +49 30 6104-3461 volker.tangerat_private http://www.discon.de/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 09 2002 - 21:33:44 PST