Re: Squid URL Filtering Bypass
What I understand from the advisory is the Squid proxy is basing its
filtering on the Host header when present, even for the CONNECT
command which doesn't allow this header at all as it makes no sense. I
haven't confirmed the bug but what's being described is definitely a
vulnerability.
There's also a small misconception in what you said. The proxy will
see the entire CONNECT request, headers and all - after the request
headers there'll be a pair of newlines, and only *then* the remaining
data is tunneled transparently. So it's the second request's headers
that the proxy won't see.
On Wed, Apr 18, 2012 at 7:46 PM, Richard Barrett
<r.barrett@openinfo.co.uk> wrote:
>
> A forward proxy server when presented with a CONNECT request is solely re=
sponsible for attempting to facilitate an end-to-end encrypted path between=
the requesting client and the far end server. The CONNECT method does no m=
ore than create a temporary hole in your firewall.
>
> Only once that is done is a normal HTTP request, including headers such a=
s the Host: header, passed over the encrypted path by the client. Most cruc=
ially, the proxy server cannot see the HTTP request or its headers due to t=
he end-to-end encryption. You can use the encrypted path to carry any proto=
col or data you like and the proxy server is quite oblivious to it as it is=
opaque to the proxy.
>
> The only access control that the proxy server can perform is based on the=
CONNECT method request and the server identified in it by either IP number=
or FQDN and port.
>
> You do not say what the acl is that you have asked Squid to apply but it =
cannot involve any examination of the Host: header of a request if the CONN=
ECT method is used; only the far end server can see that.
>
> The same =A0conclusion also applies to your other post about a vulnerabil=
ity with "McAfee Web Gateway URL Filtering Bypass"
>
> On 16 Apr 2012, at 23:11, Gabriel Menezes Nunes wrote:
>
> > # Exploit Title: Squid URL Filtering Bypass
> > # Date: 16/04/2012
> > # Author: Gabriel Menezes Nunes
> > # Version: Squid Proxy
> > # Tested on: Squid Proxy 3.1.19
> > # CVE: CVE-2012-2213
> >
> >
> > I found a vulnerability in Squid Proxy that allows access to filtered s=
ites.
> > The software believes in the Host field of HTTP Header using CONNECT me=
thod.
> > Example
> >
> > CONNECT 66.220.147.44:443 HTTP/1.1
> > Host: www.facebook.com
> >
> >
> > It is blocked.
> >
> > CONNECT 66.220.147.44:443 HTTP/1.1 (without host field)
> >
> > It is blocked.
> >
> > But:
> >
> > CONNECT 66.220.147.44:443 HTTP/1.1
> > Host: www.uol.com.br (allowed url)
> >
> > The connection works.
> >
> > From here, I can send SSL traffic without a problem. This way, I can
> > access any blocked site that allows SSL connections.
> >
> >
> > This vulnerability is different from the CONNECT Tunnel method. The
> > flaw is on the Host field processing. The software believes on this
> > field.
> >
> > So, any sites can be accessed. URL filtering in this software is
> > irrelevant and useless.
> > One of the most important (if not the most important) feature of this
> > kind of device is to protect the network in accessing specific URLs.
> > So, this flaw is very dangerous, and it can be implemented even in
> > malwares, bypassing any protection.
> > I developed a python script that acts like a proxy and it uses this
> > flaw to access any site.
> > This tool is just a proof of concept.
> > <proxy_bypass.py>
>
--
=93There's a reason we separate military and the police: one fights the
enemy of the state, the other serves and protects the people. When the
military becomes both, then the enemies of the state tend to become
the people.=94
討論串 (同標題文章)
完整討論串 (本文為第 3 之 5 篇):