chao@blog:/opt/framework3$ ./msfconsole -L ... msf > use auxiliary/scanner/http/rewrite_proxy_bypass msf auxiliary(rewrite_proxy_bypass) > info Name: Reverse Proxy Bypass Scanner Module: auxiliary/scanner/http/rewrite_proxy_bypass Version: 13886 License: Metasploit Framework License (BSD) Rank: Normal Provided by: chao-mu Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BASELINE_URI / yes Requested to establish that EXPECTED_RESPONSE is not the usual response ESCAPE_SEQUENCE @ yes Character(s) that terminate the rewrite rule EXPECTED_RESPONSE 502 yes Status code that indicates vulnerability INJECTED_URI ... yes String injected after escape sequence Proxies no Use a proxy chain RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host Description: Scan for poorly configured reverse proxy servers. By default, this module attempts to force the server to make a request with an invalid domain name. Then, if the bypass is successful, the server will look it up and of course fail, then responding with a status code 502. A baseline status code is always established and if that baseline matches your test status code, the injection attempt does not occur. "set VERBOSE true" if you are paranoid and want to catch potential false negatives. Works best against Apache and mod_rewrite References: http://www.contextis.com/research/blog/reverseproxybypass/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-3368 msf auxiliary(rewrite_proxy_bypass) > set rhosts 10.0.0.1 rhosts => 10.0.0.1 msf auxiliary(rewrite_proxy_bypass) > exploit [+] 10.0.0.1:80 is vulnerable! [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(rewrite_proxy_bypass) > set verbose true verbose => true msf auxiliary(rewrite_proxy_bypass) > exploit [*] 10.0.0.1 took 0.0856 seconds to respond to URI / [*] 10.0.0.1 responded with status code 302 to URI / [*] 10.0.0.1 took 0.056552 seconds to respond to URI @... [*] 10.0.0.1 responded with status code 502 to URI @... [+] 10.0.0.1:80 is vulnerable! [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Thursday, October 13, 2011
Scanning for bypassable reverse proxies
Context recently wrote an interesting article on a new technique to bypass reverse proxies. I, of course, got right to work on writing a Metasploit scanner module to check for vulnerable servers. This is a quick log dump of using that module.