My systems were probed for the 'setup.cfm' vulnerability in a particular
shopping cart software. Upon researching the offending system, it turned
out that they were providing a "proxy" service to internet users without
authentication. They were using Microsoft Proxy Servers, with
"everyone->anywhere" permissions. I demonstrated and logged for them how an
individual could easily use thier servers to compromise a remote machine.
(I broke into our own honey pot with it)

I have never seen this done with the proxy service "disabled." However, on
a penetration test on an IIS box with proxy services installed, I was able
to gain system level access. If they had the service startup properties set
to "manual" instead of "disabled", I could have remotely issued the command
"net start" to fire up the proxy service. From there, depending on thier
permissions, I could have used thier proxy server to do just about anything.
Winsock proxy services would allow me to do lots of nasty things
masquerading as that computer.

Keith Morgan
Chief of Information Security
Terradon Communications Group, LLC

> -----Original Message-----
> From: Curt Wilson [mailto:netw3NETW3.COM]
> Sent: Tuesday, April 03, 2001 6:28 PM
> To: VULN-DEVSECURITYFOCUS.COM
> Subject: Re: Using IIS Server 4 as a relay
>
>
> >>
> >> > Has anyone had experience of an external unwanted client
> using IIS
> >version
> >> 4
> >> > as a proxy to get to other WEB sites on the internet,
> even though the
> >> proxy
> >> > service has been disabled. A kind of IP Address spoof.
> >> >
> >>
>
> This concept has been discussed recently by H.D. Moore in his
> "Making NT Bleed" presentation at CanSec West. I was unable to
> attend this fine conference, but you can find his material plus
> some nicely written perl code on his website
>
> http://www.digitaloffense.net/csw/
>
> The presentation is excellent reading and the perl scripts very
> well done. It's possible that someone was using one of these
> scripts or the basic techniques to accomplish the IIS 4 "relay"
> that you are talking about. Could you post a log file or leave
> some other information on this issue that gives us something
> more to work with?
>
> Also, (please excuse my ignorance here if I am mistaken) what about
> those various websites that use their own URL and pass the
> target website
> as a parameter to an "external" link? I've not looked into
> this at all,
> I always assumed that this was just a way for them to log which links
> were being visited, but the connection still came from the original
> client system, since this is not actually a proxy. Perhaps there is
> some potential here for bypassing access control mechanisms, content
> screen systems (websense, surfcontrol, etc.) unless they are filtering
> on the presence of strings as opposed to static URL definitions.
>
> Thanks,
> Curt Wilson
>
>
>
>
>
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> | Curt R. Wilson * Netw3 Consulting * www.netw3.com |
> | Internet Security, Networking, PC tech, WWW hosting |
> | Netw3 Security Reading Room : www.netw3.com/documents.html |
> | Serving Southern Illinois locally and the world virtually |
> | netw3netw3.com 618-303-NET3 |
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]