Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: sockd loopback
From: jpr5 () DARKRIDGE COM (Jordan Ritter)
Date: Thu, 8 Jul 1999 09:38:31 -0400


On Thu, 8 Jul 1999 rieger () AT IBM COM wrote:

This allows for three typical exploit scenarios:
1) The client can circumvent IP filters that protect the firewall's
   services on the network interfaces.
2) The client can reach TCP services that are listening only on the
   loopback interface.
3) The client can circumvent IP address based authentication, because
   the accessed service only sees the loopback address with which
   sockd connected instead of the real client's address.

You've actually missed a fourth, related but not quite the same -- a
scenario where the (socks) proxy itself is listening on all interfaces,
loopback as well as external.  Connect to proxy, authenticate with proxy,
socks_connect to localhost, authenticate, socks_connect, wash rinse
repeat.  In most cases this will result in some form of resource
exhaustion, or as in some cases with Wingate's most recent version of
SOCKS, server death and even OS death (hang or blue screen).

Also, this isn't just limited to loopback; you're actually more likely to
accomplish this form of DoS by reconnecting to the proxy's external IP.
And, even if you block these kinds of "looped" connections, you can easily
bounce between two SOCKS servers to accomplish the same attack.

Of course, for any of the above to be an easily perpetrated attack, the
SOCKS server has to allow AUTH_NONE (method 0x00) authentication.
Unfortunately, by default most SOCKS servers do (although, IIRC Dante is
not one of these).

But when I used X Windows over a manipulated socks client to connect
to the socks server on the firewall and having it access port 6000 on
127.0.0.1, I succeed to take, e.g., a screendump from the firewall
display.

Oh, that's neat.

I did not test SOCKS 5; I only suppose that this very problem still
exists.

Yes, this is an issue concerning improper/incomplete access rules, not
about SOCKS4.  Certainly SOCKS5 could be used in this scenario, as well as
pretty much any other proxy software.

There is no immediately obvious, logical reason to allow connections from
the server to the server.  Therefore, a properly configured SOCKS server
(and really, any proxy in general) should block any connection request
whose destination is an IP owned by the proxy -- loopback, and all
external interfaces.

--jordan


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]