The agent in Momo is improperly configured. It has been verified that attackers can bypass IP address filtering to detect sensitive resources.
The front-end Web Server of Momo is improperly configured and can be used as an HTTP proxy by attackers to bypass IP address filtering, detect sensitive resources, and even detect the Office intranet.
Test 10.1.1. *. The host is not found. There is no stranger internal network roaming information on wooyun. I did not perform a large-scale scan and only proved that the vulnerability exists.
Improper front-end Web Server Configuration:
http://beta.moirai.immomo.com:5050
Anonymous HTTP proxy, which can access any resource.
Two problems need to be confirmed:
1) is the office Intranet isolated from the Web Server?
2) IP Range of the office network
Due to limited time, I only prove that this proxy is available.
The proof is as follows:
Now I know that there are two external networks that cannot directly access port 80 Momo hosts:
aegis.immomo.combeta.moirai.immomo.com
However, the proxy can be used to access the corresponding web resources, and port 80 can be reached:
Configure the IE Proxy:
Proxy egress IP:
The idea of further attacks can be to Detect Intranet IP segments of 172, 10, and 192.
If the office Intranet is not isolated from the server, it becomes a relatively easy-to-use Intranet portal.
Vulnerability limitations:
Only HTTP resources can be proxies.
Solution:
Correctly configure proxy