« PayPal's Information Risk Management Team is Hiring | Main | Got My New Security Key »

March 09, 2009

Socket Capable Browser Plugins Result In Transparent Proxy Abuse

We're pleased to announce the availability of 'Socket Capable Browser Plugins Result In Transparent Proxy Abuse'. This document outlines the abuse case in CERT's VU #435052 advisory published last month.

Abstract

"Transparent proxies allow organizations to influence and monitor the traffic from its users without their knowledge or participation. Transparent proxies act as intermediaries between a user and end destination, and aren't generally apparent to users sitting behind them. Enterprises, Hotels, and Internet Service Providers often use transparent proxy products to lower bandwidth consumption,speed up page loads for their users, and for monitoring and filtering of web surfing. When certain transparent proxy architectures are in use an attacker can achieve a partial Same Origin Policy Bypass resulting in access to any host reachable by the proxy via the use of client plug-in technologies (such as Flash, Applets, etc) with socket capabilities. This write up will describe this architecture, how it may be abused by Flash, its existence in various network layouts, and mitigations."

Download Paper: http://www.thesecuritypractice.com/the_security_practice/TransparentProxyAbuse.pdf

CERT Advisory: http://www.kb.cert.org/vuls/id/435052

Posted at 04:32 PM in Protocols |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Joachim Otahal

Solve for squid in squid.conf (testet here, seems to work):

acl NOCACHELAN dst 192.168.0.0/16 10.0.0.0/8
acl NOCACHELAN2 dstdomain .intra .local
http_access deny NOCACHELAN
http_access deny NOCACHELAN2

Without these lines I get our intranet when doing following:

telnet www.heise.de 80
GET / HTTP/1.0
Host:192.168.250.9

With these lines squid gives me "access denied"

regards,

Joachim Otahal , Germany

Posted by: Joachim Otahal | March 10, 2009 at 06:35 PM

Emilio

Joachim, have you tried with Host: www.other-site.com ?

the abuse is related to anywhere host, not internal hosts.

Regards.

Posted by: Emilio | March 13, 2009 at 12:44 PM

Joachim Otahal

It does not protect from spoofing from one outside server to another outside server.
My target was quick protecting the internal network.
There are squid options which can fix this to some extend, but then some websites don't work, and more internal information is exposed outside than I want.
Rechecking should be done anyway, squid evolves.

Jou

Posted by: Joachim Otahal | March 18, 2009 at 03:05 PM

Proxy Servers

Try with current stable version of squid. Worked for me.

Posted by: Proxy Servers | June 22, 2009 at 03:08 PM

The comments to this entry are closed.