AdSubtract Proxy ACL Bypass Vulnerability URL http://www.lurhq.com/advisory20030604.html Release Date June 4, 2003 Author Joe Stewart About AdSubtract AdSubtract is one of the leading products in the banner-ad blocking software market. It is frequently bundled with modems from several leading manufacturers and has an estimated installed user base in the millions. Impact Medium; unauthorized users may proxy from any origin to any destination, including reverse connections back into the LAN. Attackers may be able to access protected intranet documents or portscan internal machines. Although the CONNECT method is not supported by AdSubtract, LURHQ was able to confirm the risk of abuse of AdSubtract proxies by spammers to proxy SMTP connections using other methods. Vendor interMute, Inc. Product AdSubtract/AdSubtract Pro Versions 2.55 and below Description AdSubtract is a proxy server designed to block pop-ups, banner ads, animations, sounds and unwanted cookies. It typically runs as a service on the computer for which it is acting as a proxy, although it can be configured to act as a proxy server for an entire LAN. By default it listens for proxy connections on port 4444 and 11523 on all interfaces, but has access control so that only localhost (127.0.0.1) can use the service by default. Due to a design flaw, the access-control mechanism can be fooled into passing traffic for any source. An attacker can set up a PTR record for a host in the attacker's domain using a hostname such as "127.0.0.1.example.com". The AdSubtract server will do reverse DNS resolution on the IP address and will mistakenly authorize the connection based on finding the string "127.0.0.1" in the hostname. Logging of http requests is turned off by default, so no record of any abuse will be found on the system being attacked. Vendor Status Vendor was notified on May 5, 2003. Confirmation of the notification was received but no further response was given, despite several emails sent inquiring on the status of an updated version. Solution At the time of this release the vendor has not provided an updated version of the software to fix the vulnerability. Therefore it is our recommendation to remove AdSubtract from any computer directly connected to the Internet. Sites who use proxy testing software to deny connections from open proxies may want to include the conditions for this ACL bypass in their test parameters. About LURHQ Corporation LURHQ Corporation is the trusted provider of Managed Security Services. Founded in 1996, LURHQ has built a strong business protecting the critical information assets of more than 400 customers by offering managed intrusion prevention and protection services. LURHQ's 24X7 Incident Handling capabilities enable customers to enhance their security posture while reducing the costs of managing their security environments. LURHQ's OPEN Service Delivery methodology facilitates a true partnership with customers by providing a real time view of the organization's security status via the Sherlock Enterprise Security Portal. For more information visit http://www.lurhq.com/ Copyright (c) 2003 LURHQ Corporation Permission is hereby granted for the redistribution of this document electronically. It is not to be altered or edited in any way without the express written consent of LURHQ Corporation. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please e-mail advisories@lurhq.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties implied or otherwise with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Feedback Updates and/or comments to: LURHQ Corporation http://www.lurhq.com/ advisories@lurhq.com
