Would you please elaborate on how you did this? I tried this in the past
with no luck, and again after reading your post...

With WebProxy, even with no access controls set (if that is what you mean by
"everyone->anywhere") and no packet filtering, I was not able to have the
external interface proxy for me from the outside world. I even went as far
as to add my [external] address to the LAT table!

Particularly the Winsock proxy... I would love to know how you did that. I
changed my mspclnt.ini to point to the external address of the proxy,
disabled all access controls, and got absolutely nowhere. And again, I
added the external address to the LAT table (which i think would be a
requirement for the winsock proxy client to work...) This was of course all
done externally in the same way that an attack would have to be.

Thanks!
---------------------------------
Attonbitus Deus
ThorHammerofGod.Com

----- Original Message -----
From: "Keith.Morgan" <Keith.MorganTERRADON.COM>
To: <VULN-DEVSECURITYFOCUS.COM>
Sent: Thursday, April 05, 2001 6:43 AM
Subject: Re: Using IIS Server 4 as a relay

> My systems were probed for the 'setup.cfm' vulnerability in a particular
> shopping cart software. Upon researching the offending system, it turned
> out that they were providing a "proxy" service to internet users without
> authentication. They were using Microsoft Proxy Servers, with
> "everyone->anywhere" permissions. I demonstrated and logged for them how
an
> individual could easily use thier servers to compromise a remote machine.
> (I broke into our own honey pot with it)
>
> I have never seen this done with the proxy service "disabled." However,
on
> a penetration test on an IIS box with proxy services installed, I was able
> to gain system level access. If they had the service startup properties
set
> to "manual" instead of "disabled", I could have remotely issued the
command
> "net start" to fire up the proxy service. From there, depending on thier
> permissions, I could have used thier proxy server to do just about
anything.
> Winsock proxy services would allow me to do lots of nasty things
> masquerading as that computer.
>
> Keith Morgan
> Chief of Information Security
> Terradon Communications Group, LLC
>
> > -----Original Message-----
> > From: Curt Wilson [mailto:netw3NETW3.COM]
> > Sent: Tuesday, April 03, 2001 6:28 PM
> > To: VULN-DEVSECURITYFOCUS.COM
> > Subject: Re: Using IIS Server 4 as a relay
> >
> >
> > >>
> > >> > Has anyone had experience of an external unwanted client
> > using IIS
> > >version
> > >> 4
> > >> > as a proxy to get to other WEB sites on the internet,
> > even though the
> > >> proxy
> > >> > service has been disabled. A kind of IP Address spoof.
> > >> >
> > >>
> >
> > This concept has been discussed recently by H.D. Moore in his
> > "Making NT Bleed" presentation at CanSec West. I was unable to
> > attend this fine conference, but you can find his material plus
> > some nicely written perl code on his website
> >
> > http://www.digitaloffense.net/csw/
> >
> > The presentation is excellent reading and the perl scripts very
> > well done. It's possible that someone was using one of these
> > scripts or the basic techniques to accomplish the IIS 4 "relay"
> > that you are talking about. Could you post a log file or leave
> > some other information on this issue that gives us something
> > more to work with?
> >
> > Also, (please excuse my ignorance here if I am mistaken) what about
> > those various websites that use their own URL and pass the
> > target website
> > as a parameter to an "external" link? I've not looked into
> > this at all,
> > I always assumed that this was just a way for them to log which links
> > were being visited, but the connection still came from the original
> > client system, since this is not actually a proxy. Perhaps there is
> > some potential here for bypassing access control mechanisms, content
> > screen systems (websense, surfcontrol, etc.) unless they are filtering
> > on the presence of strings as opposed to static URL definitions.
> >
> > Thanks,
> > Curt Wilson
> >
> >
> >
> >
> >
> > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> > | Curt R. Wilson * Netw3 Consulting * www.netw3.com |
> > | Internet Security, Networking, PC tech, WWW hosting |
> > | Netw3 Security Reading Room : www.netw3.com/documents.html |
> > | Serving Southern Illinois locally and the world virtually |
> > | netw3netw3.com 618-303-NET3 |
> > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> >

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]