BSides Minor blunders in reverse web proxies can result in critical security vulnerabilities on internal networks, the infosec world was warned this week.
James Kettle of PortSwigger, the biz behind the popular Burp Suite, has taken the lid off an “almost invisible attack surface” he argues has been largely “overlooked for years.” Kettle took a close look at reverse proxies, load balancers, and backend analytics systems, and on Thursday revealed his findings. For the unfamiliar, when browsers visit a webpage they may well connect to a reverse proxy, which fetches the content behind the scenes from other servers, and then passes it all back to the client as a normal web server.
Malformed requests and esoteric headers in HTTP fetches can potentially coax some of these systems into revealing sensitive information and opening gateways into our victim's networks, Kettle discovered. Using these techniques, Kettle was able to perforate US Department of Defense networks, and trivially earn more than $30k in bug bounties in the process, as well as accidentally exploiting his ISP in the UK.
“While trying out the invalid host technique, I noticed pingbacks arriving from a small pool of IP addresses for payloads sent to completely unrelated companies, including cloud.mail.ru,” Kettle explained. A reverse DNS lookup linked those IP addresses to bn-proxyXX.ealing.ukcore.bt.net – a collection of systems belonging to BT, PortSwigger's broadband ISP. In other words, sending malformed HTTP requests to Mail.ru resulted in strange responses from his ISP's servers.
“Getting a pingback from Kent, UK, for a payload sent to Russia is hardly expected behaviour,” he added. This sparked his decision to investigate. The responses were coming back in 50ms, which was suspiciously fast for a request that's supposedly going from England to Russia and back via a datacenter in Ireland.
A TCP trace route revealed that attempts to establish a connection with cloud.mail.ru using port 80 (aka HTTP) were intercepted by BT within the telco's network, but traffic sent to TCP port 443 (aka encrypted HTTPS) was not tampered with. “This suggests that the entity doing the tampering doesn't control the TLS certificate for mail.ru, implying that the interception may be being performed without mail.ru's authorisation or knowledge,” Kettle explained.
Further digging by the researcher revealed that the system he’d stumbled upon was primarily being used to block access to stuff like child sex abuse material and pirated copyrighted material. Essentially, these were the boxes inspecting and filtering Brits' internet traffic. “For years I and many other British pentesters have been hacking through an exploitable proxy without even noticing it existed,” according to Kettle.
Crucially, Kettle said he could reach BT's internal control panels for its snooping tech via these proxy servers. "I initially assumed that these companies must collectively be using the same cloud web application firewall solution, and noted that I could trick them into misrouting my request to their internal administration interface," he said.
Kettle added that, as well as this worrying security vulnerability, putting subscribers behind proxies is bad because if one of the boxes ends up on a black list, every gets blocked:
All BT users share the same tiny pool of IP addresses. This has resulted in BT's proxy IPs landing on abuse blacklists and being banned from a number of websites, affecting all BT users. Also, if I had used the aforementioned admin access vulnerability to compromise the proxy's administration panels, I could could potentially reconfigure the proxies to inject content into the traffic of millions of BT customers.
Kettle reported the ability to access the internal admin panel to a personal contact at BT, who made sure it was quickly protected. The interception system is related to CleanFeed, which was built by BT in the mid-2000s to block access to images and videos of children being sexually abused. This technology was repurposed to target pirates illegally sharing movies, music, software and other copyrighted stuff. A Colombian ISP called METROTEL had a similar set up.
Later in his research, Kettle discovered that US Department of Defense proxies whitelist access to internal services using the Host header in HTTP requests, but forget that the hostname in the GET request takes precedence over the Host header. So a browser could connect to the external-facing proxy, set the Host header in the request to a public-facing site like "darpa.mil" but GET "some-internal-website.mil", and get through to that intranet portal.
Essentially, he was able to route requests to servers intended to be accessible to US military personnel only.
“This flaw has since been resolved. It's likely that other non-DoD servers have the same vulnerability, though,” Kettle told El Reg.
On the back of his research, Kettle developed and released Collaborator Everywhere, an open-=source Burp Suite extension that helps uncloak backend systems by automatically injecting non-damaging payloads into web traffic.
“To achieve any semblance of defence in depth, reverse proxies should be firewalled into a hardened DMZ, isolated from anything that isn't publicly accessible,” Kettle concluded.
His research is summarized in this blog post. To defend against attacks, basically make sure you're not susceptible to this kind of interference. Kettle presented his work at BSides in Manchester, England, on Thursday. ®