Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass"
From: Michael Meyer <michael.meyer () greenbone net>
Date: Wed, 12 Oct 2011 20:03:03 +0200

*** Gutek <ange.gutek () gmail com> wrote:
Le 12/10/2011 09:34, Michael Meyer a écrit :

With such a wrong "ip", a vulnerable server immediately returns a 200 and
"Bad Gateway". Could you confirm that? 

I'd rather say no. On the first hand, Contextis' analysis concludes that
(in the case of the LAN ip test, that's different for the other ones) a
vulnerable reverse proxy should return an *error*

They are talking about an error *page* in their report. My vulnerable
system returns an error *page*. ;)

within a *delay*

There could be no delay, if you are using such a wrong "ip" like
"6666.6666.6666.6666". The apache *must* immediately fail to connect.

[Wed Oct 12 19:41:26 2011] [error] [client 192.168.2.7] proxy: DNS lookup failure for: 6666.6666.6666.6666 returned by 
@6666.6666.6666.6666

There is only a delay, if you are using a *valid* ip which is not
within the current network. 

According to this statement, *immediately* should be the evidence for a
*non* -vulnerable target,

Only if you are using a *valid* ip which is within the current
network. 

I have a delay if i'm using e.g. "@10.10.10.1 HTTP/1.0" in an
192.168.2.0/24. 

and a 200 as well, whatever the title would be.

I got always a 200 from vulnerable systems.

On the other hand, my own tests seem to show that everytime I get a 200,
that was in fact a false-positive. It seems to confirm the Contextis
conclusion on that matter.

,----|
| mime () kira[13]: ~ 0)$ telnet 192.168.2.7 80 
| Trying 192.168.2.7...
| Connected to 192.168.2.7.
| Escape character is '^]'.
| GET @10.10.10.1 HTTP/1.0
|
| HTTP/1.1 200 OK
|
| [...]
|
| <title>Service unavailable!
`----|

The exploit at http://www.exploit-db.com/exploits/17969/ also accept
200 as a valid response code for vulnerable servers.

You maybe should try to setup a vulnerable environment.

Micha

-- 
Michael Meyer                            OpenPGP Key: 52A6EFA6
http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG
Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]