290 likes | 413 Views
Abusing Open HTTP Proxies. Mike Zusman Intrepidus Group, Inc Mike.zusman@intrepidusgroup.com. June 18, 2008. Hi everybody!. Mike Zusman, CISSP Past Web Application Developer Whale Communications/Microsoft ADP Application Security Team Current Senior Consultant @ Intrepidus Group.
E N D
Abusing Open HTTP Proxies Mike Zusman Intrepidus Group, Inc Mike.zusman@intrepidusgroup.com June 18, 2008
Hi everybody! • Mike Zusman, CISSP • Past • Web Application Developer • Whale Communications/Microsoft • ADP Application Security Team • Current • Senior Consultant @ Intrepidus Group
What am I talking about? • Open HTTP Proxies • Remote Access appliances • Plain Old Web Applications
Using SSL? Come on in! • SSL VPN Remote Access Portals
One HTTP listener, many web servers • URL Rewriting
The Good, the bad, and the 0wned • Microsoft Intelligent Application Gateway • https://sslvpn.yourbiz.com/whalecom0AB387458CD84347EF878763CCAEF78878723/path/to/app/index.asp • SonicWALL SSL VPN • https://sslvpn.yourbiz.com/cgi-bin/nph-httprp/http://192.168.151.100/exchange/
But wait, there is more . . . • We just showed a client-side attack • We can also attack the network and other services • How does HTTP work? • And we can attack the application/proxy itself • Think beyond HTTP
Scanning the Network • HTTP is sent over TCP • https://www.kb.cert.org/CERT_WEB%5Cservices%5Cvul-notes.nsf/id/150227 • Date Public02/19/2002 • Open HTTP proxies will open arbitrary TCP sockets • /fetchurl.asp?url=http://192.168.1.1:139 • Timing
Scanning the Network Trying: http://127.0.0.1:139 Result: 500 Duration: 0.937832117081s Trying: http://127.0.0.1:443 Result: timed out Duration: 30.0013480185s
Attacking the Proxy • Web Applications can act as proxies • Microsoft: WinHTTP, ServerXMLHTTP, XMLHTTP • PHP: Include(), fopen(), etc (if your bored) • Perl: request() • These Libraries can do more then fetch remote URLs • What about file:/// ?
SEO Web Sites (1) • Search Engine Optimize http://127.0.0.1
SEO Web Sites (2) Great Success! • Search Engine Optimize http://127.0.0.1
Blog Engine .NET • http://ha.ckers.org/blog/20080412/blogenginenet-intranet-hacking/ • Widespread: “probably 100,000 public installs” • Local web site disclosure • /js.axd?path=http://localhost • Local file disclosure • /js.axd?path=/web.config
HTTP Request Amplification • Attacker sends X number of requests to the proxy • The proxy sends (x)(y) number of requests to the victim • Google RSS Reader: 2 to 1 request amplification on non-existing feeds • Transloading and WebTV users
Open Application Proxy Chaining • Anonymization • A large number of open app proxies (HTTP GET) • Attacker -> Proxy1 -> Proxy2 -> Proxy3 … -> Victim • Auto-Exploitation: Open Proxy Worm • A large number of open app proxies (HTTP GET) • Attacker -> Proxy1 -> Proxy2 -> Proxy3 … -> ProxyN • The Proxies are the Victims
Open Application Proxy Chaining • Embedding URLs • http://host1.com/?url=http%3A%2F%2Fhost2.com%2F%3Furl%3Dhttp%253A%252F%252Fhost3.com%252F%253Furl%253Dhttp%25253A%25252F%25252Fhost3.com%25252F%25253Furl%25253Dhttp%2525253A%2525252F%2525252Fhost4.com%2525252F%2525253Dhttp ….
Open Application Proxy Chaining • Embedding URLs
URL Length • .NET 260 char? • IIS: 32K charshttp://support.microsoft.com/kb/820129 • How long of a URL can you have? • “In theory, there is no limit.In practice, IE imposes a limit of 2,083 bytes.Because nobody could need more than 640k.- Some Guy on the Internet
What about the HTTP Response? • Sometimes you see the proxied response, sometimes you don’t • What are your goals? • Timing can help (or hurt you) • Order of Execution • Confirmation • Make yourself the last hop • TCP Sequencing
No request propagation without exploitation! • Request Propagation • Attacker makes one request that turns into N requests • How can we exploit this? • Persistent XSS • Blind SQLi • Get code to run on a machine in the chain (or a web browser)
No request propagation without exploitation! • Persistent XSS • http://host1.com/?url=http://host2.com¶m=<img src=“http://tinyurl.com/xyz”> • http://tinyurl.com/xyz --302Redir--> http://host1.com/?url=http%3A%2F%2Fhost2.com%2F%3Furl%3D …
Demo • Hopefully, it will work.
No FUD • Attack Prerequisites • App must have a URL that makes arbitrary request • The same URL must have some other code execution vulnerability: /index.asp?url=[URL]¶m=[EXPLOIT] • Order of Execution: Exploit then Propagate • Leg Work • Attacker must find targets ahead of time • Mitigating Factor • URL Length Limitations
This is OWASP… • …so how do we fix this stuff? • Input Validation • Displaying host names in URLs is bad • Manipulation • Information Leakage • Lock down the config • Use a product that supports white lists • Don’t allow .* hosts • Firewall configuration • Does your proxy NEED to… • talk to the Internet? • talk to every host on your LAN?
Thanks • Questions? • Comments? • Concerns? • Mike.zusman@intrepidusgroup.com • http://schmoil.blogspot.com • http://blog.phishme.com