Re: Squid URL Filtering Bypass



A forward proxy server when presented with a CONNECT request is solely responsible for attempting to facilitate an end-to-end encrypted path between the requesting client and the far end server. The CONNECT method does no more than create a temporary hole in your firewall.

Only once that is done is a normal HTTP request, including headers such as the Host: header, passed over the encrypted path by the client. Most crucially, the proxy server cannot see the HTTP request or its headers due to the end-to-end encryption. You can use the encrypted path to carry any protocol or data you like and the proxy server is quite oblivious to it as it is opaque to the proxy.

The only access control that the proxy server can perform is based on the CONNECT method request and the server identified in it by either IP number or FQDN and port.

You do not say what the acl is that you have asked Squid to apply but it cannot involve any examination of the Host: header of a request if the CONNECT method is used; only the far end server can see that.

The same conclusion also applies to your other post about a vulnerability with "McAfee Web Gateway URL Filtering Bypass"

On 16 Apr 2012, at 23:11, Gabriel Menezes Nunes wrote:

# Exploit Title: Squid URL Filtering Bypass
# Date: 16/04/2012
# Author: Gabriel Menezes Nunes
# Version: Squid Proxy
# Tested on: Squid Proxy 3.1.19
# CVE: CVE-2012-2213


I found a vulnerability in Squid Proxy that allows access to filtered sites.
The software believes in the Host field of HTTP Header using CONNECT method.
Example

CONNECT 66.220.147.44:443 HTTP/1.1
Host: www.facebook.com


It is blocked.

CONNECT 66.220.147.44:443 HTTP/1.1 (without host field)

It is blocked.

But:

CONNECT 66.220.147.44:443 HTTP/1.1
Host: www.uol.com.br (allowed url)

The connection works.

From here, I can send SSL traffic without a problem. This way, I can
access any blocked site that allows SSL connections.


This vulnerability is different from the CONNECT Tunnel method. The
flaw is on the Host field processing. The software believes on this
field.

So, any sites can be accessed. URL filtering in this software is
irrelevant and useless.
One of the most important (if not the most important) feature of this
kind of device is to protect the network in accessing specific URLs.
So, this flaw is very dangerous, and it can be implemented even in
malwares, bypassing any protection.
I developed a python script that acts like a proxy and it uses this
flaw to access any site.
This tool is just a proof of concept.
<proxy_bypass.py>



Relevant Pages

  • Re: Squid URL Filtering Bypass
    ... the proxy will accept. ... The same  conclusion also applies to your other post about a vulnerability with "McAfee Web Gateway URL Filtering Bypass" ... The software believes in the Host field of HTTP Header using CONNECT method. ... The connection works. ...
    (Bugtraq)
  • Re: ISA Server Problems, please help
    ... Based on the rules you have listed, SecureNAT clients should only be allowed ... The All access rule for SBS Internet Users ... Web Proxy and/or Firewall Client ... > header to the publishing server instead of the actual one. ...
    (microsoft.public.windows.server.sbs)
  • RE: Simple ISA 2004 questions
    ... You'd better create a new GPO for IE proxy, ... Run "gpmc.msc" in SBS server, ... ISA Server 2004 Query can give you some help. ... In the Microsoft Internet Security and Acceleration Server 2004 console, ...
    (microsoft.public.windows.server.sbs)
  • Re: 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED bei 2 Servern von 6
    ... Ich habe mir nun auf einem Server, der sich bei MS Updateservices bedienen konnte, WSUS installiert. ... Log Time Client IP Destination IP Destination Port Protocol Action Rule Client Username Source Network Destination Network HTTP Method URL Error Information HTTP Status Code Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy ... Connection Unrestricted Internet access anonymous Internal External HEAD ...
    (microsoft.public.de.german.isaserver)
  • Re: Trend Micro and Proxy Server
    ... Access is from server console. ... ' under the Advanced proxy setting makes a difference. ... just turn off the proxy in the server's IE settings. ... Les Connor [SBS Community Member - SBS MVP] ...
    (microsoft.public.windows.server.sbs)