[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200306041101.33189.advisories@lurhq.com>
From: advisories at lurhq.com (advisories@...hq.com)
Subject: AdSubtract Proxy ACL Bypass Vulnerability
AdSubtract Proxy ACL Bypass Vulnerability
URL
http://www.lurhq.com/advisory20030604.html
Release Date
June 4, 2003
Author
Joe Stewart
About AdSubtract
AdSubtract is one of the leading products in the banner-ad blocking
software market. It is frequently bundled with modems from several
leading manufacturers and has an estimated installed user base in the
millions.
Impact
Medium; unauthorized users may proxy from any origin to any destination,
including reverse connections back into the LAN. Attackers may be able
to access protected intranet documents or portscan internal machines.
Although the CONNECT method is not supported by AdSubtract, LURHQ was
able to confirm the risk of abuse of AdSubtract proxies by spammers to
proxy SMTP connections using other methods.
Vendor
interMute, Inc.
Product
AdSubtract/AdSubtract Pro
Versions
2.55 and below
Description
AdSubtract is a proxy server designed to block pop-ups, banner ads,
animations, sounds and unwanted cookies. It typically runs as a service
on the computer for which it is acting as a proxy, although it can be
configured to act as a proxy server for an entire LAN. By default it
listens for proxy connections on port 4444 and 11523 on all interfaces,
but has access control so that only localhost (127.0.0.1) can use the
service by default.
Due to a design flaw, the access-control mechanism can be fooled into
passing traffic for any source. An attacker can set up a PTR record for
a host in the attacker's domain using a hostname such as
"127.0.0.1.example.com". The AdSubtract server will do reverse DNS
resolution on the IP address and will mistakenly authorize the
connection based on finding the string "127.0.0.1" in the hostname.
Logging of http requests is turned off by default, so no record of any
abuse will be found on the system being attacked.
Vendor Status
Vendor was notified on May 5, 2003. Confirmation of the notification
was received but no further response was given, despite several emails
sent inquiring on the status of an updated version.
Solution
At the time of this release the vendor has not provided an updated
version of the software to fix the vulnerability. Therefore it is our
recommendation to remove AdSubtract from any computer directly
connected to the Internet.
Sites who use proxy testing software to deny connections from open
proxies may want to include the conditions for this ACL bypass in their
test parameters.
About LURHQ Corporation
LURHQ Corporation is the trusted provider of Managed Security Services.
Founded in 1996, LURHQ has built a strong business protecting the
critical information assets of more than 400 customers by offering
managed intrusion prevention and protection services. LURHQ's 24X7
Incident Handling capabilities enable customers to enhance their
security posture while reducing the costs of managing their security
environments. LURHQ's OPEN Service Delivery methodology facilitates a
true partnership with customers by providing a real time view of the
organization's security status via the Sherlock Enterprise Security
Portal. For more information visit http://www.lurhq.com/
Copyright (c) 2003 LURHQ Corporation Permission is hereby granted for
the redistribution of this document electronically. It is not to be
altered or edited in any way without the express written consent of
LURHQ Corporation. If you wish to reprint the whole or any part of this
document in any other medium excluding electronic media, please e-mail
advisories@...hq.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties implied or otherwise with regard to this information.
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use or spread of this
information.
Feedback
Updates and/or comments to:
LURHQ Corporation
http://www.lurhq.com/
advisories@...hq.com
Powered by blists - more mailing lists