Re: Squid URL Filtering Bypass
A forward proxy server when presented with a CONNECT request is solely =
responsible for attempting to facilitate an end-to-end encrypted path =
between the requesting client and the far end server. The CONNECT method =
does no more than create a temporary hole in your firewall.
Only once that is done is a normal HTTP request, including headers such =
as the Host: header, passed over the encrypted path by the client. Most =
crucially, the proxy server cannot see the HTTP request or its headers =
due to the end-to-end encryption. You can use the encrypted path to =
carry any protocol or data you like and the proxy server is quite =
oblivious to it as it is opaque to the proxy.
The only access control that the proxy server can perform is based on =
the CONNECT method request and the server identified in it by either IP =
number or FQDN and port.
You do not say what the acl is that you have asked Squid to apply but it =
cannot involve any examination of the Host: header of a request if the =
CONNECT method is used; only the far end server can see that.
The same conclusion also applies to your other post about a =
vulnerability with "McAfee Web Gateway URL Filtering Bypass"
On 16 Apr 2012, at 23:11, Gabriel Menezes Nunes wrote:
> # Exploit Title: Squid URL Filtering Bypass
> # Date: 16/04/2012
> # Author: Gabriel Menezes Nunes
> # Version: Squid Proxy
> # Tested on: Squid Proxy 3.1.19
> # CVE: CVE-2012-2213
>=20
>=20
> I found a vulnerability in Squid Proxy that allows access to filtered =
sites.
> The software believes in the Host field of HTTP Header using CONNECT =
method.
> Example
>=20
> CONNECT 66.220.147.44:443 HTTP/1.1
> Host: www.facebook.com
>=20
>=20
> It is blocked.
>=20
> CONNECT 66.220.147.44:443 HTTP/1.1 (without host field)
>=20
> It is blocked.
>=20
> But:
>=20
> CONNECT 66.220.147.44:443 HTTP/1.1
> Host: www.uol.com.br (allowed url)
>=20
> The connection works.
>=20
> =46rom here, I can send SSL traffic without a problem. This way, I can
> access any blocked site that allows SSL connections.
>=20
>=20
> This vulnerability is different from the CONNECT Tunnel method. The
> flaw is on the Host field processing. The software believes on this
> field.
>=20
> So, any sites can be accessed. URL filtering in this software is
> irrelevant and useless.
> One of the most important (if not the most important) feature of this
> kind of device is to protect the network in accessing specific URLs.
> So, this flaw is very dangerous, and it can be implemented even in
> malwares, bypassing any protection.
> I developed a python script that acts like a proxy and it uses this
> flaw to access any site.
> This tool is just a proof of concept.
> <proxy_bypass.py>
討論串 (同標題文章)
完整討論串 (本文為第 3 之 5 篇):