SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#435052

Intercepting proxy servers may incorrectly rely on HTTP headers to make connections

Overview

Proxy servers running in interception mode ("transparent" proxies) that make connection decisions based on HTTP header values may be used by an attacker to relay connections.

I. Description

HTTP Host Headers are defined in RFC 2616 and are often used to by web servers to allow multiple websites to share a single IP address.

From RFC 2616:

    A "host" without any trailing port information implies the default port for the service requested (e.g., "80" for an HTTP URL). For example, a request on the origin server for <http://www.w3.org/pub/WWW/> would properly include:

    GET /pub/WWW/ HTTP/1.1
    Host:     www.w3.org

    A client MUST include a Host header field in all HTTP/1.1 request messages . If the requested URI does not include an Internet host name for the service being requested, then the Host header field MUST be given with an empty value. An HTTP/1.1 proxy MUST ensure that any request message it forwards does contain an appropriate Host header field that identifies the service being requested by the proxy. All Internet-based HTTP/1.1 servers MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message which lacks a Host header field.
Transparent proxy servers intercept and redirect network connections without user interaction or browser configuration. Some transparent intercepting proxy implementations make connection decisions based on the HTTP host-header value. Browser plugins (Flash, Java, etc) may enforce access controls on active content by limiting communication to the site or domain that the content originated from. An attacker may be able to forge HTTP host-header (or other HTTP headers) via active content. A proxy server running in intercepting ("transparent") mode that makes connection decisions based on HTTP header values instead of source and destination IP addresses is vulnerable due the ability of a remote attacker to forge these values.

To successfully exploit this issue, an attacker would need to either convince a user to visit a web page with malicious active content or be able to load the active content in an otherwise trusted site. Note that this vulnerability only affects proxy servers that run in transparent mode and browser same origin policies prevent attackers from re-using authentication credentials (cookies, etc) to obtain further access. This issue does not apply to proxy servers running in reverse mode.

More information about this issue can be found in the Socket Capable Browser Plugins Result In Transparent Proxy Abuse paper.

II. Impact

An attacker may be able to make full connections to any website or resource that the proxy can connect to. These sites may include internal resources such as intranet sites that would not usually be exposed to the Internet.

III. Solution

Update

When possible, administrators are recommended to obtain updated software. See the systems affected section of this document for a partial list of affected vendors. In network architectures using NAT, fixing this issue may not be feasible. Administrators are encouraged to review the below workarounds.

Administrators can determine if their proxy server is vulnerable by reading the "Reproduction Instructions" section of the Socket Capable Browser Plugins Result In Transparent Proxy Abuse paper.

Workarounds for Administrators

It is possible to limit the impact of this vulnerability by restricting access in several ways. None of the below workarounds solve the issue, but they will significantly reduce the impact.

  • Because an attacker can not access HTTP cookies, internal services that use an authentication scheme (such as a username/password) are not likely to be affected.
  • Network designs that have limited connectivity between the proxy and internal services will prevent an attacker from obtaining direct access to these services via the proxy. Administrators should consider using access control lists or firewall rules to prevent direct connections between internal servers and proxy servers.
  • Administrators should limit the CONNECT method to only the minimum required port range (usually 443/tcp).
  • Limiting the range of ports a proxy server can communicate on will limit what resources an attacker can target. When possible, router or switch access control lists should be configured to prevent HTTP proxy servers using ports or protocols that they should not normally need access to. HTTP proxy servers do not usually need to communicate with well known ports other than 80/tcp and 443/tcp.

Workarounds for users
  • To exploit this issue an attacker needs to execute active content (Java, Flash, Silverlight, etc) in the context of a web browser. Mozilla Firefox users should consider using the NoScript plugin to whitelist sites that can execute dynamic content. See the Securing Your Web Browser document for more information about secure browser configurations.
Workarounds for proxy server vendors

Although these workarounds will not address the underlying issue, vendors who distribute HTTP proxy servers are encouraged to implement them to mitigate future vulnerabilities.
  • In default configurations the proxy server should only be able to connect to a limited number of well known ports.
  • The CONNECT method should only be allowed for traffic that uses destination port 443/tcp, unless the proxy is designed to act as a TCP tunnel on all ports.

Systems Affected
VendorStatusDate NotifiedDate Updated
3com, Inc.Unknown2008-12-092008-12-09
ACCESSUnknown2008-12-092008-12-09
Alcatel-LucentUnknown2008-12-092008-12-09
Apple Computer, Inc.Vulnerable2008-12-092009-09-11
Apple Inc.Unknown2009-09-112009-09-11
AstaroVulnerable2009-04-30
AsteriskUnknown2009-04-22
AT&T;Unknown2008-12-092008-12-09
Avaya, Inc.Unknown2008-12-092008-12-09
AvertLabsUnknown2008-12-102008-12-10
Barracuda NetworksUnknown2008-12-092008-12-09
Belkin, Inc.Unknown2008-12-092008-12-09
Blue Coat SystemsVulnerable2009-01-022009-03-04
Borderware TechnologiesNot Vulnerable2008-12-092009-02-03
BroUnknown2008-12-092008-12-09
Charlotte's Web NetworksUnknown2008-12-092008-12-09
Check Point Software TechnologiesNot Vulnerable2008-12-092009-02-20
CIACUnknown2008-12-092008-12-09
Cisco Systems, Inc.Not Vulnerable2008-12-092009-03-12
ClavisterUnknown2008-12-092008-12-09
Computer AssociatesUnknown2008-12-092008-12-09
Computer Associates eTrust Security ManagementUnknown2008-12-092008-12-09
Conectiva Inc.Unknown2008-12-092008-12-09
Cray Inc.Not Vulnerable2008-12-092008-12-17
Data Connection, Ltd.Unknown2008-12-092008-12-09
Debian GNU/LinuxNot Vulnerable2008-12-092009-02-20
DragonFly BSD ProjectUnknown2008-12-092008-12-09
EMC CorporationUnknown2008-12-092008-12-09
Engarde Secure LinuxUnknown2008-12-092008-12-09
Enterasys NetworksUnknown2008-12-092008-12-09
EricssonUnknown2008-12-092008-12-09
eSoft, Inc.Unknown2008-12-092008-12-09
Extreme NetworksNot Vulnerable2008-12-092009-04-24
F5 Networks, Inc.Unknown2008-12-092008-12-09
Fedora ProjectUnknown2008-12-092008-12-09
Force10 Networks, Inc.Not Vulnerable2008-12-092009-02-04
Fortinet, Inc.Not Vulnerable2008-12-092008-12-10
Foundry Networks, Inc.Not Vulnerable2008-12-092008-12-11
FreeBSD, Inc.Unknown2008-12-092008-12-09
FujitsuUnknown2008-12-092008-12-09
Gentoo LinuxUnknown2008-12-092008-12-09
Global Technology AssociatesUnknown2008-12-092008-12-09
GoogleUnknown2009-01-082009-01-08
Hewlett-Packard CompanyUnknown2008-12-092008-12-09
HitachiUnknown2008-12-092008-12-09
IBM CorporationUnknown2008-12-092008-12-09
IBM Corporation (zseries)Unknown2008-12-092008-12-09
IBM eServerUnknown2008-12-092008-12-09
Ingrian Networks, Inc.Unknown2008-12-092008-12-09
Intel CorporationNot Vulnerable2008-12-092009-01-07
Internet Initiative JapanVulnerable2009-04-13
Internet Security Systems, Inc.Not Vulnerable2008-12-092009-04-13
IntotoUnknown2008-12-092008-12-09
IP FilterNot Vulnerable2008-12-092009-01-08
Juniper Networks, Inc.Unknown2008-12-092008-12-09
Luminous NetworksUnknown2008-12-092008-12-09
m0n0wallUnknown2008-12-092008-12-09
Mandriva, Inc.Unknown2008-12-092008-12-09
McAfeeUnknown2008-12-092008-12-09
Microsoft CorporationUnknown2008-12-092008-12-09
Microsoft Vulnerability ResearchUnknown2009-02-092009-02-09
MontaVista Software, Inc.Unknown2008-12-092008-12-09
Multitech, Inc.Unknown2008-12-092008-12-09
NEC CorporationUnknown2008-12-092008-12-09
NetAppNot Vulnerable2008-12-092009-04-27
NetBSDUnknown2008-12-092008-12-09
netfilterUnknown2008-12-092008-12-09
NokiaUnknown2008-12-092008-12-09
Nortel Networks, Inc.Unknown2008-12-092008-12-09
Novell, Inc.Not Vulnerable2008-12-092008-12-18
OpenBSDUnknown2008-12-092008-12-09
OpenSSHUnknown2009-01-062009-01-06
PayPalUnknown2008-11-112008-11-11
PePLinkNot Vulnerable2008-12-092009-01-02
PrivoxyUnknown2009-01-062009-01-06
Process SoftwareUnknown2008-12-092008-12-09
Q1 LabsUnknown2008-12-092008-12-09
QBIK New Zealand LimitedVulnerable2009-01-152009-01-21
QNX, Software Systems, Inc.Unknown2008-12-092008-12-09
QuaggaUnknown2008-12-092008-12-09
RadWare, Inc.Not Vulnerable2008-12-092008-12-17
Red Hat, Inc.Unknown2008-12-092008-12-09
Redback Networks, Inc.Unknown2008-12-092008-12-09
Secure Computing Network Security DivisionUnknown2008-12-092008-12-09
Secureworx, Inc.Unknown2008-12-092008-12-09
Silicon Graphics, Inc.Unknown2008-12-092008-12-09
Slackware Linux Inc.Unknown2008-12-092008-12-09
SmoothWallVulnerable2008-12-092009-02-20
SnortUnknown2008-12-092008-12-09
Soapstone NetworksUnknown2008-12-092008-12-09
Sony CorporationUnknown2008-12-092008-12-09
Sophos, Inc.Unknown2009-03-112009-03-11
SourcefireUnknown2008-12-092008-12-09
SquidVulnerable2009-01-022009-02-23
StonesoftUnknown2008-12-092008-12-09
Sun Microsystems, Inc.Unknown2008-12-092008-12-09
SUSE LinuxUnknown2008-12-092008-12-09
Symantec, Inc.Unknown2008-12-092008-12-09
The SCO GroupUnknown2008-12-092008-12-09
TinyproxyUnknown2009-06-292009-06-29
TippingPoint, Technologies, Inc.Not Vulnerable2008-12-092009-01-13
TurbolinuxUnknown2008-12-092008-12-09
U4EA Technologies, Inc.Unknown2008-12-092008-12-09
UbuntuUnknown2008-12-092008-12-09
UnisysUnknown2008-12-092008-12-09
VyattaUnknown2008-12-092008-12-09
Watchguard Technologies, Inc.Unknown2008-12-092008-12-09
Wind River Systems, Inc.Not Vulnerable2008-12-092009-03-04
ZiproxyVulnerable2009-01-132009-08-07
ZyXELUnknown2008-12-092008-12-09

References

http://www.thesecuritypractice.com/the_security_practice/TransparentProxyAbuse.pdf
http://www.ietf.org/rfc/rfc2616.txt
http://www.webappsec.org/lists/websecurity/archive/2008-06/msg00073.html
http://www.us-cert.gov/reading_room/securing_browser/
http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_14213
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWASP-CM-008)#Black_Box_testing_and_example
http://en.wikipedia.org/w/index.php?title=List_of_TCP_and_UDP_port_numbers&oldid=266934839

Credit

Thanks to Robert Auger from the PayPal Information Risk Management team for reporting this issue as well as providing technical information.

This document was written by Ryan Giobbi.

Other Information

Date Public:2009-02-23
Date First Published:2009-02-23
Date Last Updated:2009-09-28
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:3.54
Document Revision:139

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2009 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader