Which just made me think-let's say sites that you visit do this
'enumerating' via java/javascript and get your private IP(what auditmypc
calls your nocturnal IP(never heard that term before). Now how do you stop
it this from happening at the gateway or on a client based firewall? This is
happening at the application layer, right? Like I said before-you can turn
off java but is there another way of stopping this?
Like Matt said-is the threat worth worrying about? How could someone use the
info to help map out your network? How hard would it be to do so etc.
-----Original Message-----
From: Matt Coffman [mailto:matt@binarybrain.net]
Sent: Thursday, December 14, 2006 11:30 AM
To: Murda Mcloud; 'Niranjan Patil'; security-basics@securityfocus.com
Subject: Re: Loopholes in a proxy and smtp server
You are right on Murda. I personally don't see any real security concerns
since the information is being obtained from your own browser. Let's face
it, most IT shops use 192.168.0.0, 172.16.0.0 or a 10. something. Not much
at risk other than a potential cracker bypassing your DHCP server if they
try and connect directly to your network.
regards,
Matt
----- Original Message -----
From: "Murda Mcloud" <murdamcloud@bigpond.com>
To: "'Matt Coffman'" <matt@binarybrain.net>; "'Niranjan Patil'"
<niranjan.patil@gmail.com>; <security-basics@securityfocus.com>
Sent: Wednesday, December 13, 2006 6:17 PM
Subject: RE: Loopholes in a proxy and smtp server
I think Matt is right here with regards to the script running-a similar
thing happens at http://www.auditmypc.com/internet-security.asp
It gets the info from your browser via java. You can disable java, I guess
but I don't know what the implications of doing that would be on your
proxy.
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On
Behalf Of Matt Coffman
Sent: Thursday, December 14, 2006 7:33 AM
To: Niranjan Patil; security-basics@securityfocus.com
Subject: Re: Loopholes in a proxy and smtp server
I appreciate your concerns but let me try and shed some light. I believe
DNS stuff is running JavaScript to gather that information. What does
that
mean? The script is actually running client side on your proxy server.
Don't think for one minute that their site is traversing the firewall to
gather that information - simply not the case.
As far as your SMTP concern. Your mail server needs to communicate to
SMTP
servers sending to it if a email is valid or not. Some of my clients run
a
very popular firewall that enables them to run the SMTP security service.
This will appear to accept any email intended for that domain but won't
actually forward the mail on to the mail server. Another option is to
install a SPAM server.
hope this helps.
mc
----- Original Message -----
From: "Niranjan Patil" <niranjan.patil@gmail.com>
To: <security-basics@securityfocus.com>
Sent: Tuesday, December 12, 2006 11:09 PM
Subject: Loopholes in a proxy and smtp server
Hi All,
I have noticed two significant (well, I think it is) flaws in the
design of one of the corporate proxy and SMTP servers I am consulting
for. I googled for it and checked some RFC's too but couldn't get
anything much helpful. Hope to get valuable info from you all.
1. The squid proxy is sending out its internal IP when forwarding the
http requests to the outside world. I mean if the proxy's internal IP
is 192.168.1.1 and its public IP is 1.1.1.1, it is sending both of
them out to the Internet. To check this, you can open a site like
www.dnsstuff.com, where it shows the public and private IP of your
proxy (you need have one). I guess they are not using any scripts to
check my IP. Even if they have used they could find my own machine's
IP and not my proxy's. I am not sure how to harden the proxy for this
particular flaw.
2. The SMTP servers listening for incoming mail on the Internet are
also giving out valuable information. When queries are made to it, it
accept connections only to a valid email id in its address book. I
mean when we respond to its RCPT command with an email id, it checks
and throws out a message as
'[250 recipient <name@company.com> ok]' for a valid id and
'[Could not connect: Got an unknown RCPT TO response: 501 #5.1.1 bad
address nonexistingname@company.com]' for non existing email id and
closes the connection.
Using this anyone can get address book of all valid email ids of that
firm, he/she may use a simple script too. I don't think this is
normal, and need to address this soon. I checked out the popular free
email providers like gmail, yahoo or hotmail, they accept connections
for all email ids and then sends back a mailer daemon for invalid ids.
Apologise for the long mail but appreciate any help.
Regards,
Niranjan
---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher
Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.
http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------
---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher
Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.
http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------
---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher
Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.
http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------
