« PayPal's Information Risk Management Team is Hiring | Main | Got My New Security Key »

March 09, 2009

Socket Capable Browser Plugins Result In Transparent Proxy Abuse

We're pleased to announce the availability of 'Socket Capable Browser Plugins Result In Transparent Proxy Abuse'. This document outlines the abuse case in CERT's VU #435052 advisory published last month.

Abstract

"Transparent proxies allow organizations to influence and monitor the traffic from its users without their knowledge or participation. Transparent proxies act as intermediaries between a user and end destination, and aren't generally apparent to users sitting behind them. Enterprises, Hotels, and Internet Service Providers often use transparent proxy products to lower bandwidth consumption,speed up page loads for their users, and for monitoring and filtering of web surfing. When certain transparent proxy architectures are in use an attacker can achieve a partial Same Origin Policy Bypass resulting in access to any host reachable by the proxy via the use of client plug-in technologies (such as Flash, Applets, etc) with socket capabilities. This write up will describe this architecture, how it may be abused by Flash, its existence in various network layouts, and mitigations."

Download Paper: http://www.thesecuritypractice.com/the_security_practice/TransparentProxyAbuse.pdf

CERT Advisory: http://www.kb.cert.org/vuls/id/435052

Posted at 04:32 PM in Protocols |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e5502ec8d98834011168ceb72c970c

Listed below are links to weblogs that reference Socket Capable Browser Plugins Result In Transparent Proxy Abuse:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Joachim Otahal

Solve for squid in squid.conf (testet here, seems to work):

acl NOCACHELAN dst 192.168.0.0/16 10.0.0.0/8
acl NOCACHELAN2 dstdomain .intra .local
http_access deny NOCACHELAN
http_access deny NOCACHELAN2

Without these lines I get our intranet when doing following:

telnet www.heise.de 80
GET / HTTP/1.0
Host:192.168.250.9

With these lines squid gives me "access denied"

regards,

Joachim Otahal , Germany

Posted by: Joachim Otahal | March 10, 2009 at 06:35 PM

Emilio

Joachim, have you tried with Host: www.other-site.com ?

the abuse is related to anywhere host, not internal hosts.

Regards.

Posted by: Emilio | March 13, 2009 at 12:44 PM

Joachim Otahal

It does not protect from spoofing from one outside server to another outside server.
My target was quick protecting the internal network.
There are squid options which can fix this to some extend, but then some websites don't work, and more internal information is exposed outside than I want.
Rechecking should be done anyway, squid evolves.

Jou

Posted by: Joachim Otahal | March 18, 2009 at 03:05 PM

Proxy Servers

Try with current stable version of squid. Worked for me.

Posted by: Proxy Servers | June 22, 2009 at 03:08 PM

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Archives

More...

Categories

Pages

About

Add me to your TypePad People list
Subscribe to this blog's feed
AddThis Social Bookmark Button

Blog Roll