Last Updated: 2007-03-26 23:33:28 UTC
by Swa Frantzen (Version: 2)
Hacker conferences are more often than not a source of work for security people. When Microsoft issued MS99-054 (fixing CVE-1999-0858) one would have assumed they had looked into the auto-configuration of MSIE's proxy settings deep enough to not have to fix it again. Unfortunately no such luck was with us.
wpad names in DNS or WINS that are inserted by malicious locals are enough to divert browsers to an unauthorized proxy. Apparently the issue is bad enough for Microsoft to release KB 934864 about it.
To summarize to use WPAD yourself in your DHCP:
add this to your config:
option option-252 "http://example.com/path/to/proxyconfig.pac";
option wpad code 252 = text
option wpad "http://example.com/path/to/proxyconfig.pac";
See more in the recently expired IETF draft.
- Microsoft's DHCP:
If you can't do that, create a DNS TXT record with the name WPAD in every domainname you run to avoid MSIE finding a host with that name and do the same in WINS. (see the above mentioned KB for how to do it in Microsoft's implementations)
Swa Frantzen -- NET2S
Last Updated: 2007-03-26 16:19:16 UTC
by Johannes Ullrich (Version: 1)
Last Updated: 2007-03-26 15:10:31 UTC
by Arrigo Triulzi (Version: 1)
The setup, a standard Apache running on OpenBSD 4.0, consists of an SSL password-protected virtual host, a single page redirecting from the non-SSL virtual host to the SSL version if you forget the 's' and a blank page waiting for connections on the direct IP address without the correct Host: directive.
The interesting logs are obviously the ones for the direct IP address accesses...
83.180.231.X - [24/Mar/2007:15:12:30 +0100] "GET / HTTP/1.1" 200 291 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:126.96.36.199pre) Gecko/20070223 Camino/1.1b"
217.172.253.X - - [24/Mar/2007:15:43:33 +0100] "GET / HTTP/1.0" 200 274 "-" "-"
217.172.253.X - - [24/Mar/2007:16:30:06 +0100] "GET / HTTP/1.0" 200 274 "-" "-"
208.11.16.X - - [25/Mar/2007:01:05:00 +0100] "\x10\x01" 501 - "-" "-"
217.172.239.X - - [25/Mar/2007:12:39:37 +0200] "GET / HTTP/1.0" 200 274 "-" "-"
82.165.42.X - - [25/Mar/2007:15:11:15 +0200] "GET / HTTP/1.1" 200 274 "-" "Mozilla/5.0"
So, the first one, no prizes for guessing correctly, would be yours truly testing that the site works (hey, I actually have a valid User-Agent!).
Barely 20 minutes later someone visits a completely unannounced website with no www.domain CNAME assigned to it from Poland (hi there!), twice, from the same IP on some DSL provider in Lodz. Then, someone from the USA visits, middle of the night for me, comfortable mid-morning coffee script-kidding for him, sitting on wythenet.com trying a nice hex escape to try and tickle the server for information. Then around midday our friend from Poland comes again (my dear chap you might benefit from a database to archive the info...) but from a different net and "closing the first day of life" we are visited by a well-hacked server in Germany.
Making good(?) use of the collected information
So, after the in-depth mapping of the server (which is, incidentally running nothing bar Apache, no modules, ServerTokens appropriately set, etc.) the first script kiddie "attacks":
208.11.16.X - - [25/Mar/2007:16:24:36 +0200] "GET /phpmyadmin/main.php HTTP/1.0" 404 295 "-" "-"
208.11.16.X - - [25/Mar/2007:16:24:36 +0200] "GET /phpMyAdmin/main.php HTTP/1.0" 404 295 "-" "-"
208.11.16.X - - [25/Mar/2007:16:24:36 +0200] "GET /db/main.php HTTP/1.0" 404 287 "-" "-"
So this is the gentleman coming in from the USA who has gathered the data from his "scan" and is now attacking the sites after breakfast (his breakfast of course, middle of the afternoon for Europe). He is finished quite quickly:
208.11.16.X - - [25/Mar/2007:16:25:21 +0200] "GET /admin/phpMyAdmin-2.6.4-rc1/main.php HTTP/1.0" 404 311 "-" "-"
To make the Sunday more interesting we have someone trying to SSL brute force the server:
194.235.70.X - - [25/Mar/2007:17:17:25 +0200] "GET /sumthin HTTP/1.0" 404 283 "-" "-"
The line above is the signature of the ATD OpenSSL Mass Exploiter and if you bother looking for the IP address on Google you will see that the particular sort-of-obfuscated IP has been active for a while (and has now finally been reported to the guilty party).
What about day 2?
Monday morning is boringly quiet until after lunch when we have someone looking for FrontPage vulnerabilities:
85.25.140.X - - [26/Mar/2007:14:33:35 +0200] "POST /_vti_bin/_vti_aut/author.dll HTTP/1.1" 404 316 "-" "core-project/1.0"
I guess the logic might be "new host, middle of a large colo block, could well be FrontPage...", seems to be a one-off but comes from one of those large server4you farms in Germany so could well be the result of the European scanning on Saturday.
Obviously 24 hrs must be the standard "nobody checks their logs for that long" period because our last visitor from Sunday now returns and plays PHP games:
82.165.42.X - - [26/Mar/2007:15:30:14 +0200] "GET / HTTP/1.0" 200 274 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
82.165.42.X - - [26/Mar/2007:15:30:15 +0200] "POST /index.php HTTP/1.0" 404 285 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
82.165.42.X - - [26/Mar/2007:15:30:15 +0200] "POST /wbb2/index.php HTTP/1.0" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
82.165.42.X - - [26/Mar/2007:15:30:15 +0200] "POST /board/index.php HTTP/1.0" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
Somewhat more thorough than our US scanner he is done faster since he is on a faster and very close (three hops...) link to my server:
82.165.42.X - - [26/Mar/2007:15:30:35 +0200] "POST /database/main.php HTTP/1.0" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
At which point the obvious observation is that these days you barely have the time to put a website up before it is visited, catalogued and exploited (fortunately with untargeted automated tools).
Now, for extra points, who spotted the time change in the preamble where the timezone offset goes from GMT+1 (CET) to GMT+2 (CEST)?