Re: Spam via proxy

Greetings!

listuser wrote:

> I work at a cable ISP and lots of our customers have open wingate,
> squid or socks proxies. These are regularly being used by spammers to
> send their scum.

The ancient "Proxy vulnerability" as in
http://www.securityfocus.com/bid/4131

This general problem has been known to be an issue with plain HTTP proxies like the Squid for ages (e.g.
http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14).

> ie if some one can tell me how to replicate this via a telnet session
> to the relevent port it will be great.

The vulnerability can be exploited using the CONNECT method to connect to a different server, e.g. an internal mailserver as port usage is completely unrestricted by the ISVW proxies V 3.6

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Example:

	you = 6.6.6.666
	Trendmicro ISVW = 1.1.1.1  (http proxy at port 80)
	Internal Mailserver = 2.2.2.2

	connect with "telnet 1.1.1.1 80" to ISVW proxy and enter
	followed with two linefeeds:
	CONNECT 2.2.2.2:25 / HTTP/1.0

	response: mail server banner - and running SMTP session e.g.
	to send SPAM from.

You can connect to any TCP port on any machine the proxy can connect to. Telnet, SMTP, POP, etc. You can see it in the logs you provided as CONNECT (squid), SSL (wingate) methods - all to port 25 (smtp).

> How these cases are being handled else where. One problem we have
> faced is that the actual users are clueless about what is going on.
> Are people blocking squid and socks ports at the border router?

For squid see above URL. For TrendMicro ISVW see http://online.securityfocus.com/archive/1/302200

Generally we (advise to) put any proxy into a (separate) DMZ which only is accessible via a firewall (the usual 3-leg firewall config) that is blocking all but the identified, needed connections.

Bye

Volker Tanger
IT-Security Consulting

-- 
discon gmbh
Wrangelstraße 100
D-10997 Berlin

fon    +49 30 6104-3307
fax    +49 30 6104-3461

volker.tanger@discon.de
http://www.discon.de/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com