J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: AdSubtract Proxy ACL Bypass Connection Proxying Vulnerability

Severity: HIGH

Description:

AdSubtract Proxy is connection proxying software designed to block banner-ads, cookies, and other unwanted HTTP traffic. The software listens for proxy connections on ports 4444 and 11523. AdSubtract enforces an access control list that restricts all but localhost (127.0.0.1) from establishing connections.

A vulnerability has been reported for AdSubtract Proxy. The problem occurs due to the application failing to sufficiently process malicious hostnames when doing reverse DNS lookups.

By using a DNS server to host a malicious PTR record, the attacker may prepend the string '127.0.0.1' to the hostname. In doing so the attacker may be capable of bypassing the access control policy used by AdSubtract. This occurs due to AdSubtract matching the malformed record against the localhost access control entry, effectively believing that the connection is authorized.

Successful exploitation of this vulnerability could result in an anonymous remote user proxying malicious connections through a target AdSubtract service. This may aid in an attacker carrying out further unrelated attacks anonymously.

This vulnerability is exaggerated by the fact that HTTP logging is not enabled in AdSubtract by default. This will effectively allow for an attacker to carry out this attack without a trace.

Affected Products:

  • AdSubtract AdSubtract Proxy 2.50.0
  • AdSubtract AdSubtract Proxy 2.51.0
  • AdSubtract AdSubtract Proxy 2.52.0
  • AdSubtract AdSubtract Proxy 2.53.0
  • AdSubtract AdSubtract Proxy 2.54.0
  • AdSubtract AdSubtract Proxy 2.55.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.