[Snort-users] Misconfigured firewall triggering alerts?

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...2218...
Thu Jan 31 16:40:03 EST 2002


I stumbled on something interesting and was wondering if anyone else has
noticed this?

On a daily basis I see alerts for the "WEB-MISC long basic authorization
string" vulnerability in my logs. This vulnerability exists on some Unix and
MAC web servers where if the authorization information is too long, it could
crash the web server. But then I noticed something interesting......most
hosts that send packets with "Proxy-Authorizat
ion: Basic" seem to be firewalls and/or proxy servers. Normally
Proxy-Authorization: Basic is only sent in an HTTP request when
authentication is first required from a proxy server before retrieving a
page. In my case, this type of proxy authorization isn't required to hit my
web servers, so that leads me to believe that firewalls and proxy servers
sending this information are incorrectly configured. If you run the
"ZXThYBHynFp0dwMLdRo=.." (or whatever information is following
"Proxy-Authorization: Basic")  through a Base64 decoder, you have the proxy
ID and password of the requesting user. Has anyone else noticed this? Could
there be THAT many misconfigured proxy servers out there that are
accidentally sending Proxy user IDs and passwords out to sites that do not
require this information?  

Sample trace:

01/30-11:38:05.309896 200.200.200.200:7808 -> some.webserver.com:80
TCP TTL:53 TOS:0x0 ID:37942 IpLen:20 DgmLen:1063 DF
***AP*** Seq: 0x13E8364  Ack: 0x6615BF78  Win: 0x2238  TcpLen: 20
GET /somepage.asp?session_key=D10012AC250022AC20320
130162134585c80673696 HTTP/1.0..Accept: application/msword, appl
ication/vnd.ms-excel, application/vnd.ms-powerpoint, image/gif, 
image/x-xbitmap, image/jpeg, image/pjpeg, application/pdf, */*..
Referer: http://someplace.website.com/default.asp?session_key=D10
011AC340011AC13420180162137785c80483696..Accept-Language: en-us.
.Accept-Encoding: gzip, deflate..User-Agent: Mozilla/4.0 (compat
ible; MSIE 4.01; Windows NT)..Host: web1.website.com..Cookie
: SITESERVER=ID=a1092a6b786cc0a78055cd9eb1a536db; PSessKey=24001
1AC670111AC20020130164005eee140300182; ASPSESSIONIDGQGQQBCY=HJPM
AAFDPMKOAFOCIGBCNNAD; ASPSESSIONIDGQQQQSHU=EKKGHEFDNCFAABFMDAOOA
KIA; ASPSESSIONIDGGGGQHYZ=ODPLIEFDIGFBAGEMDLEBCAAH; ASPSESSIONID
QGQQGHCY=PPFJJFFDOONIPKHDIMHGAHHH; ASPSESSIONIDGGQQQRJQ=BNGCHEFD
HENMBNEBNNCHLAED; ASPSESSIONIDGQGQQWFG=HFDLAAFDNODPNBNENBNEJCGO;
 ASPSESSIONIDGGQQGRLX=EEPLIEFDFHPNFOJNJKJKNPMO..Proxy-Authorizat
ion: Basic ZXThYBHynFp0dwMLdRo=..Cache-Control: max-stale=0....

Thanks,
Paul





More information about the Snort-users mailing list