Months later, more products identified using exploitable transparent proxy architecture
It's been more than 3 months since I published my paper on abusing transparent proxies with flash, and 4 months since CERT's Advisory (VU#435052). Since that time additional products have been identified as being exploitable.
Still Vulnerable
- Squid
http://www.squid-cache.org/ - Astaro
http://www.astaro.org/astaro-gateway-products/web-security-http-https-ftp-im-p2p-web-filtering-antivirus/24916-socket-capable-browser-plugins-result-transparent-proxy-abuse.html - QBik Wingate
http://www.securityspace.com/smysecure/catid.html?ctype=cve&id=CVE-2009-0802 - Tiny Proxy?
https://packetprotector.org/forum/viewtopic.php?id=4018 - Smoothwall, SchoolGuardian, and NetworkGuardian
http://www.kb.cert.org/vuls/id/MAPG-7M6SM7
Products with fixes or workarounds
- DansGuardian 2.10.1.1 (web content filtering proxy)
http://www.macorchard.com/www/DansGuardian.php - Ziproxy 2.7.0
http://ziproxy.sourceforge.net/ - Bluecoat (Note: Still vulnerable in default configuration)
https://bto.bluecoat.com/support/securityadvisories/ProxySG_in_transparent_deployments - Bloxx (web filtering gateway)
http://www.bloxx.com/support/url-filtering-technical-notes.php - Funkwerk
UTM 1.95.1(Security Gateway)
http://www.funkwerk-ec.com/prod_utm_2500_main_en,74383,837.html
http://www.funkwerk-ec.com/portal/downloadcenter/dateien/funkwerk_UTM/release_notes_1_95_1_en.pdf - SEIL Products
http://www.seil.jp/english/seilseries/security/2009/04091700.php
Note: I have not verified the claimed fixes for the products above and have no plans to.
As you can see a number of security web filtering products are open to abuse. Some vendors provide a workaround involving 'filtering off IP' to sensitive internal addresses' which isn't a fix for this issue because you can still make any request to any outside network (assuming the proxy supports this, most will).
Chances are there are dozens more affected since this is a design abuse. If you know any please let me know and I'll add it to the list (please include something from the vendor page acknowledging the issue).
I'll be attending Blackhat and defcon later this month so if there are any proxy/http nerds who want to chat drop me a line.
Additional Coverage and related posts
Socket Capable Browser Plug-ins Result In Transparent Proxy Abuse
http://www.cgisecurity.com/2009/03/socket-capable-browser-plugins-result-in-transparent-proxy-abuse.html
Proxy Attack Stupid Buzzword Contest
http://www.cgisecurity.com/2009/03/proxy-attack-stupid-buzzword-contest-.html
Why does Silverlight have a restricted port range for Sockets?
http://blogs.msdn.com/ncl/archive/2009/06/23/why-does-silverlight-have-a-restricted-port-range-for-sockets.aspx
Proxy server bug exposes websites' private parts
http://www.theregister.co.uk/2009/02/23/serious_proxy_server_flaw/
ISA Server vs US-CERT VU#435052 – A Quick Test
http://www.carbonwind.net/blog/post/2009/03/21/ISA-Server-vs-US-CERT-VU435052-e28093-A-Quick-Test.aspx
Transparente Proxies ebnen Angreifern den Weg ins lokale Netz
http://www.heise.de/netze/Transparente-Proxies-ebnen-Angreifern-den-Weg-ins-lokale-Netz--/news/meldung/134333
Comments
You can follow this conversation by subscribing to the comment feed for this post.
All Comments are Moderated and will be delayed!
Post a comment