OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Volker Tanger (volker.tanger_at_discon.de)
Date: Thu Dec 05 2002 - 10:00:39 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Greetings!

    A quite well known (i.e. ancient) type of proxy vulnerability was
    found for TrendMicro's InterScan VirusWall V3.6 This general problem
    has been known to be an issue with plain HTTP proxies like the Squid
    for ages (e.g. http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14).

    The vulnerability can be exploited using the CONNECT method to
    connect to a different server, e.g. an internal mailserver as
    port usage is completely unrestricted by the ISVW proxies V 3.6

    Example:
            you = 6.6.6.666
            Trendmicro ISVW = 1.1.1.1 (http proxy at port 80)
            Internal Mailserver = 2.2.2.2

            connect with "telnet 1.1.1.1 80" to ISVW proxy and enter
            CONNECT 2.2.2.2:25 / HTTP/1.0

            response: mail server banner - and running SMTP session e.g.
            to send SPAM from.

    You can connect to any TCP port on any machine the proxy
    can connect to. Telnet, SMTP, POP, etc.

    Solution:
            Update to ISVW 3.7 Build 1190 or newer (available since some
            weeks now).

    temp. Workarounds:
            - disable the HTTP proxy (safe but inconvenient)
            - You have a firewall that prevents unauthorized access to the
              Trend ISVW proxy, don't you?

    Volker Tanger
    IT-Security Consulting

    - --
    discon gmbh
    Wrangelstraße 100
    D-10997 Berlin

    fon +49 30 6104-3307
    fax +49 30 6104-3461

    volker.tangerdiscon.de
    http://www.discon.de/

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (MingW32)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQE973gn0uordLlMxo4RArM4AJ0bMFRKrhuTa4+1jiBDjzwdDZYvdwCfdLNC
    JdU0ocAoE8/Kmzumk2k/NRQ=
    =C9cF
    -----END PGP SIGNATURE-----