mailing list archives
[PEN-TEST] MS Proxy 2.0
From: "Deus, Attonbitus" <Thor () HAMMEROFGOD COM>
Date: Wed, 13 Sep 2000 15:19:32 -0700
There is a discussion on Focus-MS that I wanted to bring to you guys in
order to see if you had some expertise in breaching MS Proxy Server 2.0.
I am trying to get some concrete methods to perform the above. Here is the
snip from the last email I sent:
Yes, the filtering daemon runs on top of ISAPI, and then passes allowed
prot/ports/[direction] on to the ISAPI filters. This means that if you
discovered a new vunl in IIS, and you were letting [typically] 80 on
through, that you could jump through that guy and exploit IIS doing your
standard SAM hacks/backend listeners or what have you. The cool thing about
doing this on the proxy is that you typically enable access control, which
means that the proxy is always getting the hash from all your users on the
internal card- yippee!!
But, if the exploit were http, then even your PIX would let that guy in and
you are really in the same scenario. Please don't flame me with the "Are
you out of your mind comparing PIX to Proxy??!?"- that is not what I am
doing. I am simply drawing a differential between the filtering service and
any vulnerabilities beyond that layer. I would love to have a PIX firewall.
I simply cannot afford it. ( Until I win the lottery :-) )
I am all for stateful packet inspection/ dynamic filtering when you have to
have it and eagerly await ISAServer's final release.
I guess I bother to post this in responses to those who "Avoid MS Proxy 2.0
like the plague" and other posts that bash the product without providing
examples of security holes. Don't get me wrong... I am not saying there are
none, I am just saying that I have not heard of any... Plenty in IIS, but
someone please provide an example of breaching the proxy service on a
properly configured machine.
Lets define that, BTW:
1) Multi homed External/private internal
2) All services on the external card disabled. No default route/wins or
that stuff configured for external ips.
3) IP forwarding disabled. ( Don't use PPTP for RAS or anything silly like
that on the proxy!)
4) Stand alone server (no DC) and current SP's, with MS's recommended config
for IIS (It is, after all, an IIS box).
5) If you must publish, use reverse proxy to internal boxes.
6) IP Filtering (with ip frags) enabled and only what you must have going
Given this, someone please provide a mechanism (using a vuln in Proxy- not
IIS, not your basic tunnel through 53 to a back end listener, blah blah
blah) to compromise security. This will be valuable, and MUCH appreciated!
PS the ISAServer RC1 is available for dl at
If possible, please share any information you may have in regard to this
issue. Your time is appreciated.
thor () hammerofgod com
- [PEN-TEST] MS Proxy 2.0 Deus, Attonbitus (Sep 14)