The Patsy ProxyGetting Others To Do Your Dirty Work

Who we are

Jen Savage◦Software Developer ◦@savagejen

Dan Crowley◦Managing Consultant at Trustwave

SpiderLabs◦@dan_crowley

What is a patsy proxy?

Patsy (noun): A person who is easily taken advantage of

Proxy (noun): A person authorized to act on the behalf of another

A patsy proxy is anything that can be used to unwittingly perform an attack on the behalf of another.

Advantages of a patsy proxyProxy owner is unaware of proxyTarget is unaware that victim acts

as proxy◦Not publicly listed as a proxy◦No traditional proxy service on victim

Logging unlikelyIP may be privileged

Disadvantages of a patsy proxyAttack capabilities may be

limited◦May be blind◦May change the traffic◦May have a time delay◦May pass only certain types of traffic

What is inside the black box?◦May be logged

On patsy limitationsPatsy only allows GET params

◦Many applications accept POST params in GET

Patsy only makes HEAD requests◦Many applications process HEAD/GET

the same No data will be returned DoS capability severely limited

Patsy is blind◦Many attacks can be launched blind

Malicious uses of a patsy proxy

Frame SomeonePost threats, harass people, etcAccess illegal materialsLaunch attacks

Anonymize an attackAttack will trace back to the

patsy◦Is the patsy logging?

Traditional attacks◦SQLi◦RFI◦DoS

Bypass IP address filteringEvade IP blacklist

◦IP ban◦Sites which disallow proxies

Exploit IP trust relationships◦Business partnerships◦Proxies usually disallow internal

access Not the case with unintentional proxying

Methods to achieve a patsy proxy

Automated ServicesURL shorteners & un-shortenersWeb SpidersTwitter bots“Upload from URL” functionalityWebpage translation utilitiesLink preview functionality

GOOGLE TRANSLATE“Translate” a web page

FACEBOOKStatus update preview

Automated ServicesMalware Scanning UtilitiesMail Gateway Scanners

◦Thanks to Jcran for his Project Tuna data: tuna.pentestify.com/emails

Other

Good job Google on the Google Safe Browsing Database!

CLAMAVIn certain configurations, URLs in emails are checked for malware

GEOCITIES-IZERHack like it’s 1996

UNKNOWN MAIL GATEWAY AVWith ROT13 power

Traditional VulnsXSS / HTML InjectionXML injection (XXE)SQLiRFI

Social EngineeringWorth mentioningNot worth in-depth explanation

Could it be a vulnerability?

Recursive DoSPoint the patsy back at itselfTraffic amplification factor:

◦MAX_URI / patsy URI length * 2Tack a large resource onto the

last iteration20 requests resulted in 30

minutes downtime◦Over the LAN!

RECURSIVE DOS“If it’s stupid but it works, it isn’t stupid.”patsy.php contained fopen($_GET['site'], 'r');

WAF bypassRecurse onceDouble encode attack

Web Server

WAFMal

DDoS through patsiesI have 2MB upI have 30 patsies, each 15MB upI have Python

By your powers combined……I AM CAPTAIN DOWNTIME

Access to Internal NetworksModern proxies enforce

boundaries between internal / external

Unintentional proxies may allow boundary violation◦http://patsy.com/?site=http://

10.0.0.1/admin.htm

ConclusionAttribution is Hard(er)

◦An IP address is not a personIP address filtering is ineffectiveThink before generating traffic

for usersUser education is valuable for

users, too◦Don’t Take Candy from Internet

Strangers