Hacking via squid caches

From: Nigel Metheringham <Nigel.Metheringham@dont-contact.us>
Date: Wed, 01 Jul 1998 11:05:45 +0100

I am enclosing excerpts of a news article posted to alt.ph.uk - see
news:6n0jhc$4qs$1@apple.news.easynet.net - which includes details of how
to usurp squid caches for putting out mail and similar services.

The fix should be to add a set of ports to your acls that you wish to
block in URLS - these should (probably) include 23 (telnet) 25 (smtp) 119
(nntp) and a series of others. However blocking all ports bar 80 is
likely to cause problems for sites that run content on other ports (lots
of them :-( ).


#---- quotes from news article follow:-

Before the loophole was closed you would be allowed to access any host on
the Internet via one of these proxy servers by using requests very similar
to those used on http servers. These would be in the form of:

(request) (protocol)://[user:pass]@(host):[port]/[path] (anything)

Where (request) is GET or PUT
      (protocol) is http, ftp, gopher or wais
      [user:pass@] is an optional username and password for the
             object being accessed
      (host) is a hostname or IP address
      [:port] is an optional port number
      [path] is the location of the object being accessed (if omitted,
             the root object is assumed)
      (anything) can be any old gibberish added on the end to make the
             thing work correctly. This would usually be something like
             'HTTP/1.1' on a real http server but the actual content of
             this is ignored on these proxy servers

For example,

GET http://www.nothing.net:8080/testing x
GET ftp://ftp.pipex.net/people/nicolai/ fgh (someone's holiday pics :)
PUT http://r0002:mariguch@upload.files.org/stuff.zip HTTP/4.4

Note that for some reason PUT requests can only be performed via http.

After the request has been sent a number of headers may be sent also,
terminated by a single blank line. These are in the form (Header): (Data)
and will be sent after an http request is made to a server.

As an example of all this, when connecting to the echo port of a server:

(connect to mist.pipex.net:3128)
(send) GET http://tempest.pipex.net:7 fgh
(send) X-Header-Test: hello world
(recv) GET / HTTP/1.0 <- the request
(recv) X-Header-Test: hello world <- optional header sent
(recv) Via: 0.0 mist:3128 (Squid/1.1.21) } headers sent by
(recv) X-Forwarded-For: } proxy server
(recv) Host: tempest.pipex.net }
(recv) Cache-control: Max-age=259200 }

Now if you were using a web browser you wouldn't care about any of this as
it would all be done for you transparently. However, there are reasons why
you would want to do this manually:

When the proxy server receives a GET request it connects to the specified
host and after the request is forwarded to this host you are connected to
it in half duplex mode, i.e. only receiving data, anything you send is
ignored. However, PUT requests open a connection in full duplex mode so
anything that requires full interactivity such as a telnet session or IRC
can be carried out. As an example, if you wanted to log in to server
test.org using username 'guest' and password 'hello' you might do
something like this:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# telnet haar.pipex.net 3128
Connected to
Escape character is '^]'.
PUT http://test.org:23 zz
zz <- this is just to align the user/pass prompts correctly
                                            <- (blank line)

testing.test.org (ttyp2)

login: PUT / HTTP/1.0 <- proxy server always sends this
password: <- 'zz'
login incorrect

login: guest <- now properly aligned

Last login: 12:34:56 7.8.90 on ttyp3

Welcome to test.org!
etc. whatever.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Of course, telnet is just one possibility. IRC, mail, news and so on could
be used similarly, with a few simple modifications to the code.

In fact, it's possible to connect to Pipex's, and many other ISPs', mail
relay and news servers through their proxy servers in this way, which
allows anonymous postings such as this one. This is very useful for
covering your tracks should you be doing something slightly dodgy. Bear in
mind that everything is most likely logged though.

#--- rest snipped - not really relevant to squid.


[ Nigel.Metheringham@theplanet.net   -  Systems Software Engineer ]
[ Tel : +44 113 207 6112                   Fax : +44 113 234 6065 ]
[      Real life is but a pale imitation of a Dilbert strip       ]
Received on Wed Jul 01 1998 - 03:06:45 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:41:01 MST