1、Abusing Transparent Proxies with Flash v2.00,By Robert Auger PayPal Information Risk Management,November 2009,Overview,What are transparent and intercepting proxies? When are transparent proxies used? How do they operate? Brief intro to the SOP Flash and the socket policy The abuse case Solutions an
2、d mitigations Conclusions,2,What are transparent and intercepting proxies?,Explicit Proxy: A proxy explicitly configured by a client or user system. Also known as a classic web proxy. Transparent Proxy: Proxy which is NOT explicitly configured by the client machine. Intercepting Proxy: A more intrus
3、ive version of a transparent proxy. May modify traffic.,3,When are transparent proxies used?,4,How traffic gets to transparent proxies,Technologies such as WCCP/GRE/IPTables/IPFW are often used to force/redirect traffic to the transparent proxy The user is unaware this is going on Proxy is typically
4、 on a dedicated machine, sometimes deployed on the gateway/router itself Often involves rewriting the packets destination to the proxies IP address and port (NAT) Some implementations merely sniff the wire and may not terminate to a service If the proxy is listening on all addresses then rewriting s
5、houldnt be required, although it is unknown how common this approach is,5,Common transparent proxy architectures,6,Approach A: Use the destination IP from the client,Proxy server determines destination based on original destination-IP address of client request. In this configuration the transparent
6、proxy routes requests much like a standard router by basing its routing decisions off of the network layer (layer 3).Architecture is defined in RFC 1919 (Classical versus Transparent IP Proxies) which is marked Informational and is not a standard. Only can be used in certain network architectures.,7
7、,When Approach A cannot be implemented (NAT),8,Approach B: Inspect application layer data,Proxy server determines destination based on the HTTP Payload from the client request. In this configuration the transparent proxy is determining IP destinations based on the application protocol (layer 7) inst
8、ead of IP (layer 3). Architecture not defined in any standard including RFC 2616 (HTTP 1.1). Due to the socket capabilities of browser plug-ins (flash/etc) this second architecture can be exploited by an attacker to gain access to any destination accessible by the proxy.,9,Brief intro into the Same
9、Origin Policy (SOP),A policy which permits scripts running on pages originating from the same site to access each others methods and properties without restrictions Site A can access Site As other content Site A generally cant access Site Bs content due to being on a different site/origin The same o
10、rigin policy is designed to restrict a sites access to itself Without the SOP Site A would be able to make requests to Site B and see the full response and Cookie data Technologies such as Silverlight and Flash have their own variants of the SOP enforced outside of the browser Flash: Crossdomain.xml
11、 files and Socket policy files,10,Flash and Sockets,Starting in Flash 9 Flash implemented socket policy files (socket master policy files) even for requests back to the same site hosting the flash Usually hosted on a socket policy server and not served up via HTTP Flash checks TCP port number 843 by
12、 default for this policy Can specify a custom location with Flashs loadPolicyFile() call Same general format as crossdomain.xmlMore info at http:/ this stage weve reviewed Proxy types and how their destination logic Same Origin Policy basics Flash and its socket policy filesNow, onto the badness!,12
13、,The Abuse Case,HTTP Request,HTTP Response,Evil Flash,,1.1.1.1,HTTP Request,HTTP Response,Socket Policy,HTTP Request,1.1.1.1,Socket() Policy Request,HTTP Response, Welcome to S!,GET / HTTP/1.0 Host: or GET http:/:80/ HTTP/1.0,,2.2.2.2,1.1.1.1,13,Impact (Technical version),Attacker can send HTTP Requ
14、ests to any host, and obtain full HTTP responses The proxy is actually making the requests, flash is used to facilitate thisFull TCP connection support in some cases (due to CONNECT!) Some intercepting proxies support explicit proxy evasion as a feature to prevent people in an organization from usin
15、g an external proxy, effectively falsifying the explicit proxy connection and tricking the client. ISPs unlikely to implement proxy avoidance (china maybe?) Depends on port restrictions for CONNECT method on the proxyLimitations Cookies and HTTP auth will not be obtainable because the SOP context is
16、 under Auth can be negotiated manually (brute forcing) NTLM/Basic/HTTP Based,14,Impact (Marketing version),Turn browsers into temporary botnet members Only for the length of time the malicious flash is loaded Perform brute forcing DDOS Flooding HTTP based DOS TCP connection based DOS Hard to track
17、due to the lack of installed malware Limited lifetimeIntranet TCP port scanning#! When the transparent proxy is on the local network, or LocalHost Otherwise allowed to make arbitrary TCP connections to internet Allow an attacker inside access to your network evading any NAT/firewalling in place depe
18、nding on the location of the proxy. Launch other attacks against local machines from the proxy Depends on the ACLS implemented on the proxy,15,What about proxies that are chained?,Depending on the network architecture/proxy combination you can still be vulnerable, even if your transparent proxy is b
19、asing its destination IP on the client DST IP If there are two chained transparent proxies, and one bases the destination on the HTTP payload, then youre vulnerable Transparent proxies utilizing explicit proxies always vulnerable,16,Non vulnerable chained proxy configurations,17,Demo,18,Manual Repro
20、duction,To identify if your environment is vulnerable you can perform the following manual steps.1. Perform a DNS lookup against a test website name 2. Telnet to that websites IP on port 80 ( $ telnet 80 ) 3. Paste the following request as the payload GET / HTTP/1.0Host: and/orGET http:/:80/ HTTP/1.
21、04. Hit enter twiceIt is important to specify a different website name in the Host header/URI Line. If you receive content from the host specified in the host header then youre affected.,19,Which kinds of products can be abused by this?,Classic Caching/Transparent proxies Squid Bluecoat (default con
22、figuration) Netcache Qbik WingateSecurity Gateways and parental control software Smoothwall, SchoolGuardian, and NetworkGuardian DansGuardian (web filtering gateway) Bloxx (web filtering gateway) Mac OS X Parental Control Software (Pre Snow Leopard) Many More,20,Further complications and related obs
23、ervations,Flashs socket policy binds to an IP Virtual hosting always going to be an issue when multiple sites share the same IP. Amit Klein wrote about these sorts of issues in multiple papers 7. Cloud computing environments may share 1 IP allowing for inter cloud host abuseUnnamed vendors implement
24、ing web filtering and/or caching tightly incorporated Approach B. Made modifying the product very difficult In some cases adding Approach A support would introduce other issues,21,How I stumbled on this abuse case,While writing a proxy scanner for work I discovered a bug in my code. Tool had an XML
25、list of IPs to connect to (to configure as a proxy) Tool had a list of target destinations to try to connect to through the proxy (e.g 10.x.x.x, 192.168.x.x, etc) An external IP (for debugging purposes) was accidentally left in my IP to connect to file. When I ran the tool it flagged that it was abl
26、e to access an local intranet site from my remote machine :/ Surprising to say the least Come to find out this bug wasnt a bug (Wireshark/tcpdump confirmed!) Surely this is a known issue!?,22,Discovery and Coordination,2007 Discovery Early 2008 in depth research begins September 2008 engaged Amit Kl
27、ein during Bluehat October 2008 Began vendor notifications November 2008 handed disclosure and notifications over to CERT(R) Coordination Center December 2008 Contacted Dan Kaminsky and began joint discussions with Amit Klein, and Adrian Chadd February 2009 CERT Publishes advisory March 9th 2009 Whi
28、tepaper published March 10th 2009 Buzzword contest held,23,Buzzword contest winners,The day after the paper was released I held a contest to name that talk/buzzword! Why? Because every security flaw has to have a jazzy buzzword associated with it otherwise youre not a real application security profe
29、ssional Actually Im pretty damned sick of security industry buzzwords so included this slide to poke fun at them Buzzword winners: ProxyJacking, PITM (Proxy in the middle attack) Talk name winner: Down with O.P.P. - other peoples proxy More amusing submissions http:/ problem,Transparent proxies fund
30、amentally alter the security assumptions No internet standards that define transparent/intercepting proxies RFC 2616 touches on it Proxy cant tell the difference between browser and flash Flash cant tell when a transparent proxy is being utilized Dan Kaminsky has published related research at http:/
31、,25,Who *should* fix this?,Opinions vary on who is responsible Proxy Vendors? Fair to say this only exists due to client side plugins with socket support The deployment scenario is a factor (traffic redirection is the sysadmins decision) Client Side plug-in vendors with socket support? It is fair to
32、 say they couldnt predict an intercepting proxy exhibiting this behavior, after all intercepting proxies arent documented in a standard! The HTTP standards? Fair to say that client side socket support wasnt anticipated, and breaks the usage model There is no standard that I could find outlining the
33、various approaches, and their pros and cons for transparent/intercepting proxying Clarity on intercepting proxies would be useful Sysadmins? Network configuration plays a part,26,Proxy vendor fix approaches,Emulate the IP destination, or Pass-through to it Bluecoat utilizes this method 12 Depends on
34、 the redirection/pass through configuration Many vendors lack the access required to gather this information Kernel/DriverVerify that the host in the URI resolves to at least one destination IP provided by the client DansGuardian utilizes this method 10 Approach causes problems with round robin DNS
35、Sites may become unreachable Squid team mentioned this in our discussions as well,Limit ports and implement ACLs Always a good thing to doResearch new methods New HTTP header to communicate the client DST IP? X-RemoteIP? X-ProxyClientDestinationIP? Came up while chatting with Adrian Chadd from SQUID
36、 Specific to chained proxy environmentsUltimately depends on the network/proxy deployment configurationProxy vendors are currently in the best position to outline the advantages and risks to each approach,27,Client-side technology fix approaches,Disable socket functionality (yeah, right!)Restrict th
37、e ports sockets connections can access Silverlight implements this restriction on ports 4502-4534 6. Flash has no such restrictions. Can still access web servers/TCP services on high ports . Albeit much lower chanceVendors need to investigate and enhance their restriction models,28,How can I protect
38、 my environment? (Sysadmins),No matter what your configuration is be sure to implement ACLS on your proxy and disallow access to sensitive hostsImplement port restrictions on your proxy when possible Can help to prevent port scanning and connecting to other services through the proxyCheck with your
39、product vendor on system hardening approaches Bluecoat has trust-destination-ip ignoring the host header 9 Smoothwall is investigating a fix 11Evaluate your transparent proxies usage, and evaluate your environments susceptibility,29,How can I protect myself? (Users),Security industry *answer* (impra
40、ctical answer) Disable Flash/Java/Silverlight and run client side plugins like NoScript Use telnet and Stunnel/Openssl for web surfingPractical answer Ensure your software is patched up to date Parental control software Web security software Web browser Software such as Flash/Silverlight/Java/Etc,30
41、,Conclusions,Client side Socket functionality facilitates this abuse case. Client side sockets arent going away anytime soon and are actually expanding (WebSocket standard in HTML5)If every client side technology vendor with Socket() support removed sockets, or found a *better way* of implementing t
42、hem this abuse case would go away. Until then we have to work around it, and be aware of it.A venue doesnt exist for documenting and standardizing the differences and risks between network designs, or proxy use cases (not in an RFC),A one size fits all *fix* simply isnt possible. Not every combinati
43、on of network and proxy deployment scenarios have a fix available Certain NAT, and proxy chain configurationsBottom line is some products can be abused and others cant due to the Proxy location on the network/network design Proxy architecture utilized in the product. Some products only have one mode
44、.More in depth information can be found in my whitepaper 1,31,About me,Play the part of an application security engineer at PayPal where I work on security testing approaches, and SDLC strategies Co Founder of The Web Application Security Consortium (http:/www.webappsec.org/) WASC Threat Classificat
45、ion Project leader (my second job) (http:/www.webappsec.org/projects/threat/) Founder and Moderator of The Web Security Mailing List (http:/www.webappsec.org/lists/websecurity/),32,Questions?,33,References,Socket Capable Browser Plugins Result In Transparent Proxy Abuse by Robert Auger 1 http:/ prox
46、y servers may incorrectly rely on HTTP headers to make connections2 http:/www.kb.cert.org/vuls/id/435052Staring Into The Abyss: Revisiting Browser v. Middleware Attacks In The Era of Deep Packet Inspection3 http:/ considerations and discussions about this issue 4 http:/www.ietf.org/mail-archive/web/
47、hybi/current/msg00031.html 5 http:/www.ietf.org/mail-archive/web/hybi/current/msg00032.html,34,References (Cont),Why does Silverlight have a restricted port range for Sockets? 6 http:/ by Amit Klein: “Forging HTTP request headers with Flash“7 http:/www.webappsec.org/lists/websecurity/archive/2006-07/msg00069.htmlCVE8 CVE-2009-0801, CVE-2009-0802, CVE-2009-0803, CVE-2009-0804ProxySG in transparent deployments intercepting HTTP/HTTPS traffic9 https:/ Changelog10 http:/dansguardian.org/?page=historySmoothWall Information for VU#43505211 http:/www.kb.cert.org/vuls/id/MAPG-7M6SM7,