90161 2003-02-10 22:29 /142 rader/ Markus Hennig <mhennig@astaro.com> Importerad: 2003-02-10 22:29 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <3460> Ärende: RE: Astaro Security Linux Firewall - HTTP Proxy vulnerability ------------------------------------------------------------ Bugtraq: Astaro Security Linux Firewall - HTTP Proxy vulnerability Vulnerability description: ------------------------- The HTTP proxy can be used to connect to any TCP port and not only to certain 'safe' ports. The vulnerability only takes effect for clients that have allowed access to the proxy. In standard mode, only host defined in the allowed networks list of the HTTP proxy has been able to use this flaw. In user authentication mode, only host defined in the allowed networks list and after a correct user authentication has been able to use this flaw. In transparent mode, hosts were not able to use this flaw. Per default the HTTP proxy is disabled and the allowed networks list is empty. At any given time there was no vulnerability of system itself, neither a remote exploit giving unprivileged users access to the system. Impact: ------- The allowed users have been able to connect to any tcp port in the internet and therefore bypass the security policy defined in the packet filter. Advice: ------- Please make sure that only trusted/internal networks are selected in the allowed networks list of the HTTP proxy. This prevents abuse of the proxy from the outside/internet. Fix Description: ---------------- To fix this issue a new Configuration option has been added to HTTP proxy configuration menu, giving you the ability to configure the services which are allowed to use through the HTTP proxy . Per default we added the following services: - HTTP - HTTPS - LDAP - FTP_CONTROL - SQUID Vulnerable Versions: -------------------- Astaro Security Linux 2.0 prior version 2.031 Astaro Security Linux 3.2 prior version 3.214 Bugfixed in version: -------------------- Up2Date Package 2.032 (released Jan, 21st, 2003) Up2Date Package 3.215 (released Jan, 17th, 2003) Please update your system to latest version available. Astaro Security Team Visit Astaro at: - Infosecurity Italia 2003, Milano, Feb. 12 - 14, 2003 - Infosecurity Belgium 2003, Brussels, Feb. 26 - 27, 2003 - NetworkWorld Technical Seminar "VPN", Offenbach, Feb. 26.-27. 2003 - CeBIT 2003, Hannover, Mar. 12.-19, 2003 - Infosecurity Europe, London, Apr. 29 - May 1, 2003 > -----Original Message----- > From: Volker Tanger [mailto:volker.tanger@discon.de] > Sent: Monday, January 20, 2003 10:05 AM > To: bugtraq@securityfocus.com > Subject: Astaro Security Linux Firewall - HTTP Proxy vulnerability > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Greetings! > > A quite well known (i.e. ancient) type of proxy vulnerability was > found in the https proxy of Astaro Security Linux firewall (which is > a chrooted yet plain squid btw.) This general problem has been known > to be an issue with nearly all HTTP proxies for ages (e.g. > http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14). > > The vulnerability can be exploited using the CONNECT method to > connect to a different server, e.g. an internal mailserver as port > usage is completely unrestricted by the Astaro proxy. > > Example: > you = 6.6.6.666 > Astaro = 1.1.1.1 (http proxy at port 8080) > Internal Mailserver = 2.2.2.2 > > connect with "telnet 1.1.1.1 8080" to Astaro proxy and enter > CONNECT 2.2.2.2:25 / HTTP/1.0 > > response: mail server banner - and running SMTP session e.g. > to send SPAM from. > > You can connect to any TCP port on any machine the proxy can connect > to. Telnet, SMTP, POP, etc. > > > Solution: > > Install patch 3.215 - there you can restrict the ports you allow > access to. I'd suggest ports 21 70 80 443 563 210 1025-65535 which > stand for FTP, Gopher, HTTP, HTTPS, HTTPS(seldom), WAIS and > nonprivileged services (e.g. passive FTP) > > > Volker Tanger > IT-Security Consulting > > - -- > discon gmbh > Wrangelstraße 100 > D-10997 Berlin > > fon +49 30 6104-3307 > fax +49 30 6104-3461 > > volker.tanger@discon.de > http://www.discon.de/ > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.5 > > iD8DBQE+K7um0uordLlMxo4RAuP2AJwKDWUC0ruCMgr4lsmQMwrr2aZOXQCeOHdN > LhhcvkURae1erxD3tN59SlQ= > =arTl > -----END PGP SIGNATURE----- > > > (90161) /Markus Hennig <mhennig@astaro.com>/(Ombruten)