Working for a municipal government means that we get requests on our webserver for all kinds of information about our city from citizens, businesses, etc. A while ago the bleedingthreats project released a couple of rules to look for unencrypted basic http auth. I went ahead and deployed these rules as we should never have any webapp that takes unencrypted base64 auth and if one was ever deployed I wanted to know about it. As a side effect of deploying these rules, we found that many proxies were sending valid internal proxy authentication credentials to our webservers even though we were not prompting for any sort of auth. These are organizations such as fortune 50 financial institution's, clinical research facilities, a check verification company, a home and auto insurance company, the list goes on and on. I honestly get a couple of these a week. In most cases it is a nightmare to try and get anybody on the phone as most organiztions ARIN contact information is incorrect. I don't know how many companies I called and got a message saying press 0 to talk to an operator only to press 0 and hear the same stupid automated message in a loop. Quite a few of internal authentication credentials i received seemed to be leaked by bluecoat proxies. I contacted the guy's at Fishnet Security as I don't have access to a bluecoat. They only thing they found was a setting that had to be set via command line and according to Jake Reynolds at Fishnet should only be set in very special reverse proxy configurations. The configuration parameter is spoof-authentication, if you are running bluecoat with this option disabled try depolying a snort box to watch it's public facing interface with the following rules to see if your proxy is leaking auth. These are prone to fp's as http is essetianlly statless but should reduce noise for statically served content. It still kills me tha t companies like ciso and oracle still use unencrypted basic http auth *sigh*.. This is a perfect oppurtunity for you to deploy full content logging in your enterprise, make the Bejtlich proud.
alert tcp any $HTTP_PORTS -> any any (msg:"BLEEDING-EDGE POLICY Basic Auth Challenge from HTTP Server"; flow:established,to_client; content:"HTTP/1."; depth:7; nocase; content:"|20|401"; within: 5; content:"|0d 0a|WWW-Authenticate|3a 20|"; nocase; flowbits:set,httpbasicrequest; flowbits:noalert; classtype:policy-violation; sid:3000526; rev:8;)
alert tcp any $HTTP_PORTS -> any any (msg:"BLEEDING-EDGE POLICY Proxy Auth Challenge from HTTP Server"; flow:established,to_client; content:"HTTP/1."; depth:7; nocase; content: "|20|407"; within:5; content:"|0d 0a|Proxy-Authenticate|3a 20|"; nocase; flowbits:set,httpproxyauthrequest; flowbits:noalert; classtype:policy-violation; sid:3000527; rev:8;)
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Outgoing Basic Auth Base64 HTTP Password leaked"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; flowbits:isnotset,httpbasicrequest; flowbits:isnotset,httpproxyauthrequest; classtype:policy-violation; sid:3000528; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Incoming Basic Auth Base64 HTTP Password leaked"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; flowbits:isnotset,httpbasicrequest; flowbits:isnotset,httpproxyauthrequest; classtype:policy-violation; sid:3000529; rev:4;)
Monday, December 31, 2007
Subscribe to:
Posts (Atom)
