Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass"
From: Gutek <ange.gutek () gmail com>
Date: Tue, 11 Oct 2011 18:23:17 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 11/10/2011 15:17, Michael Meyer a écrit :
*** Gutek <ange.gutek () gmail com> wrote:

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-10-11 14:41 CEST
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Number of received responses: 3
NSE: http-reverseproxy-bypass : test 1 returned a 200
NSE: http-reverseproxy-bypass : CHRONO 404: 0
NSE: http-reverseproxy-bypass : CHRONO REQUEST: 30
NSE: http-reverseproxy-bypass : test 2 returned a 200
NSE: http-reverseproxy-bypass : CHRONO 404: 0
NSE: http-reverseproxy-bypass : CHRONO REQUEST: 30
NSE: http-reverseproxy-bypass : test 3 returned a 200
NSE: http-reverseproxy-bypass : CHRONO 404: 0
NSE: http-reverseproxy-bypass : CHRONO REQUEST: 30
NSE: Finished http-reverseproxy-bypass against 192.168.2.7:80.
Nmap scan report for 192.168.2.7
Host is up (0.000049s latency).
Scanned at 2011-10-11 14:41:39 CEST for 95s
PORT   STATE SERVICE
80/tcp open  http
|_http-reverseproxy-bypass: NOT found vulnerable to CVE-2011-3368, but allows requests to external websites
Final times for host: srtt: 49 rttvar: 5000  to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Read from /opt/nmap/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 95.20 seconds
------------------------------------------------------------

mime () kira[13]: ~ 0)$ netstat -n | grep 10\\.
tcp        0      1 192.168.2.7:45166       10.0.0.61:80            SYN_SENT

if reference.status and chrono_request > (chrono_404+1) then -- vulnerable if we get an error status after a 
consequent delay

I guess, that reference.status is not true, if the response take longer than
the 30 second timeout?

Yes, that's the key point : getting an error status code, whatever it
could be. Maybe a 30s timeout is, here, too short ? On the other hand, a
timeout of >1m could make this script very slow. I have to figure out
the best balance between speed and efficiency.


mime () kira[18]: ~ 0)$ date
Di 11. Okt 14:57:39 CEST 2011
           ^^^^^^^^
mime () kira[18]: ~ 0)$ telnet 192.168.2.7 80
Trying 192.168.2.7...
Connected to 192.168.2.7.
Escape character is '^]'.
GET @10.10.10.10 HTTP/1.0


[Tue Oct 11 15:01:01 2011] [error] (110)Connection timed out: proxy: HTTP: attempt to connect to 10.10.10.10:80 (*) 
failed
            ^^^^^^^^
I have to wait ~3 minutes for a response if the host is in an other network. 

HTH

Micha 


Thanks for testing, that's the kind of feedback I need !

Regards,

A.G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6UbXUACgkQ3aDTTO0ha7gwLwCbBZtAEFrPVDM6bouJWcoH2+O5
sLIAnA5CjZUOLytVkayfBG64fiq4Tl7P
=CAhV
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]