Thursday, October 13, 2011

Scanning for bypassable reverse proxies

Context recently wrote an interesting article on a new technique to bypass reverse proxies. I, of course, got right to work on writing a Metasploit scanner module to check for vulnerable servers. This is a quick log dump of using that module.

chao@blog:/opt/framework3$ ./msfconsole -L
...
msf > use auxiliary/scanner/http/rewrite_proxy_bypass
msf  auxiliary(rewrite_proxy_bypass) > info

       Name: Reverse Proxy Bypass Scanner
     Module: auxiliary/scanner/http/rewrite_proxy_bypass
    Version: 13886
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  chao-mu

Basic options:
  Name               Current Setting  Required  Description
  ----               ---------------  --------  -----------
  BASELINE_URI       /                yes       Requested to establish that EXPECTED_RESPONSE is not the usual response
  ESCAPE_SEQUENCE    @                yes       Character(s) that terminate the rewrite rule
  EXPECTED_RESPONSE  502              yes       Status code that indicates vulnerability
  INJECTED_URI       ...              yes       String injected after escape sequence
  Proxies                             no        Use a proxy chain
  RHOSTS                              yes       The target address range or CIDR identifier
  RPORT              80               yes       The target port
  THREADS            1                yes       The number of concurrent threads
  VHOST                               no        HTTP server virtual host

Description:
  Scan for poorly configured reverse proxy servers. By default, this 
  module attempts to force the server to make a request with an 
  invalid domain name. Then, if the bypass is successful, the server 
  will look it up and of course fail, then responding with a status 
  code 502. A baseline status code is always established and if that 
  baseline matches your test status code, the injection attempt does 
  not occur. "set VERBOSE true" if you are paranoid and want to catch 
  potential false negatives. Works best against Apache and mod_rewrite

References:
  http://www.contextis.com/research/blog/reverseproxybypass/
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-3368

msf  auxiliary(rewrite_proxy_bypass) > set rhosts 10.0.0.1
rhosts => 10.0.0.1
msf  auxiliary(rewrite_proxy_bypass) > exploit

[+] 10.0.0.1:80 is vulnerable!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(rewrite_proxy_bypass) > set verbose true
verbose => true
msf  auxiliary(rewrite_proxy_bypass) > exploit

[*] 10.0.0.1 took 0.0856 seconds to respond to URI /
[*] 10.0.0.1 responded with status code 302 to URI /
[*] 10.0.0.1 took 0.056552 seconds to respond to URI @...
[*] 10.0.0.1 responded with status code 502 to URI @...
[+] 10.0.0.1:80 is vulnerable!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Posted by at 6 comments:
Labels: ,
Subscribe to: Posts (Atom)