Multiple vendors' HTTP proxy services use insecure default configurations that could allow an attacker to make arbitrary TCP connections to internal hosts or to external third-party hosts.
HTTP proxy services commonly support the HTTP CONNECT method, which is designed to create a TCP connection that bypasses the normal application layer functionality of the proxy service. Typically, the HTTP CONNECT method is used to tunnel HTTPS connections through an HTTP proxy. The proxy service does not decrypt the HTTPS traffic, as this would violate the end-to-end security model used by TLS/SSL.
The HTTP CONNECT method is described in an expired IETF Internet-Draft written in 1998 by Ari Luotonen. This document clearly explains the security risks associated with the HTTP CONNECT method:
The HTTP CONNECT method, as well as other HTTP methods and FTP commands, can be abused to establish arbitrary TCP connections through vulnerable proxy services. An attacker could use a vulnerable proxy service on one network as an intermediary to scan or connect to TCP services on another network. In a more severe case, an attacker may be able to establish a connection from a public network, such as the Internet, through a vulnerable proxy service to an internal network.
An instance of this vulnerability in Check Point FireWall-1 was reported by Volker Tanger in February 2002. The CERT/CC thanks Ronald Guilmette for information used in this document.
This document was written by Art Manion.
|Date First Published:||2002-05-17|
|Date Last Updated:||2005-04-29 15:07 UTC|