ID SECURITYVULNS:DOC:7708 Type securityvulns Reporter Securityvulns Modified 2005-01-30T00:00:00
Description
WebWasher Classic - HTTP CONNECT weakness
WebWasher Classic
WebWasher Classic is a well known
HTTP-URL/Popup/Script filtering proxy
which
is free for non commercial use.
WebWasher Classic supports two modes, a client mode,
where it only works for
the local machine (bound to localhost) and a server
mode, where it serves as
a network proxy (bound to 0.0.0.0).
Weakness
If running in server mode, it is possible to connect
from remote to tcp
ports
listening on 127.0.0.1 of the WebWasher system. This
is an design flaw,
because CONNECT requests to localhost should be
denied.
It also may be possible to bypass accesslists of
firewalls, protecting the
WebWasher system.
Version
WebWasher Classic v3.3 and v.2.2.1 on Windows platform.
Other platforms were not tested, but may also be
affected.
Exploiting/PoC
1) Start a netcat listener on the WebWasher system:
netcat -L -p 99 -s 127.0.0.1 < hallo.txt
2) Connect to the WebWasher proxy port (default
8080/tcp)
3) Enter command "CONNECT 127.0.0.1:99 HTTP/1.0"
As a result, content of hallo.txt will appear.
Vendor:
http://www.webwasher.com
(Webwasher belongs to CyberGuard)
Discovered
by oliver karow
http://www.oliverkarow.de/research/WebWasherCONNECT.txt
--
Sparen beginnt mit GMX DSL:
http://www.gmx.net/de/go/dsl
{"id": "SECURITYVULNS:DOC:7708", "bulletinFamily": "software", "title": "WebWasher Classic - HTTP CONNECT weakness", "description": "WebWasher Classic - HTTP CONNECT weakness\r\n=========================================\r\n\r\nWebWasher Classic\r\n=================\r\n\r\nWebWasher Classic is a well known\r\nHTTP-URL/Popup/Script filtering proxy\r\nwhich \r\nis free for non commercial use.\r\nWebWasher Classic supports two modes, a client mode,\r\nwhere it only works for\r\nthe local machine (bound to localhost) and a server\r\nmode, where it serves as\r\na network proxy (bound to 0.0.0.0).\r\n\r\n\r\nWeakness\r\n========\r\n\r\nIf running in server mode, it is possible to connect\r\nfrom remote to tcp\r\nports\r\nlistening on 127.0.0.1 of the WebWasher system. This\r\nis an design flaw,\r\nbecause CONNECT requests to localhost should be\r\ndenied. \r\nIt also may be possible to bypass accesslists of\r\nfirewalls, protecting the \r\nWebWasher system.\r\n\r\n\r\nVersion\r\n=======\r\n\r\nWebWasher Classic v3.3 and v.2.2.1 on Windows platform.\r\nOther platforms were not tested, but may also be\r\naffected.\r\n\r\n\r\nExploiting/PoC\r\n==============\r\n\r\n\r\n1) Start a netcat listener on the WebWasher system:\r\n netcat -L -p 99 -s 127.0.0.1 < hallo.txt\r\n2) Connect to the WebWasher proxy port (default\r\n8080/tcp)\r\n3) Enter command "CONNECT 127.0.0.1:99 HTTP/1.0"\r\n\r\nAs a result, content of hallo.txt will appear.\r\n\r\n\r\nVendor:\r\n=======\r\n\r\nhttp://www.webwasher.com\r\n(Webwasher belongs to CyberGuard)\r\n\r\n\r\nDiscovered\r\n==========\r\nby oliver karow\r\nhttp://www.oliverkarow.de/research/WebWasherCONNECT.txt\r\n\r\n\r\n-- \r\nSparen beginnt mit GMX DSL:\r\nhttp://www.gmx.net/de/go/dsl", "published": "2005-01-30T00:00:00", "modified": "2005-01-30T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7708", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:11", "edition": 1, "viewCount": 6, "enchantments": {"score": {"value": 6.7, "vector": "NONE", "modified": "2018-08-31T11:10:11", "rev": 2}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB3114883", "KB4011200"]}, {"type": "exploitdb", "idList": ["EDB-ID:48066"]}, {"type": "zdt", "idList": ["1337DAY-ID-33964"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:CE95D5F43E9457A43FA2820DF9995BDD"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156338"]}, {"type": "cve", "idList": ["CVE-2014-2595", "CVE-2016-7708", "CVE-2015-9286", "CVE-2008-7273", "CVE-2008-7272"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:12F5283EDC472441C00F451F3A056878"]}, {"type": "ossfuzz", "idList": ["OSSFUZZ-7708"]}, {"type": "mmpc", "idList": ["MMPC:B2C49931BD69E40A51EC353F1F5FD2E2"]}, {"type": "openbugbounty", "idList": ["OBB:112737"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32652", "SECURITYVULNS:VULN:14753", "SECURITYVULNS:VULN:14720", "SECURITYVULNS:DOC:32660", "SECURITYVULNS:DOC:32658"]}], "modified": "2018-08-31T11:10:11", "rev": 2}, "vulnersScore": 6.7}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-02-27T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **kanyeblog[.]co.cc** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-02-27T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 175[.]126.123.219\nWhois:\n Created: 1997-10-12 23:00:00, \n Registrar: GoDaddycom LLC, \n Registrant: Not Available From Registry.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:A9037B25-7708-3CEA-8D3A-06B6FDFC1F58", "href": "", "published": "2021-02-28T00:00:00", "title": "RST Threat feed. IOC: kanyeblog.co.cc", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-25T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **165[.]232.137.165** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2021-02-22T03:00:00, Last seen: 2021-02-25T03:00:00.\n IOC tags: **generic**.\nASN 14061: (First IP 165.232.32.0, Last IP 165.232.191.255).\nASN Name \"DIGITALOCEANASN\" and Organisation \"DigitalOcean LLC\".\nThis IP is a part of \"**digitalocean**\" address pools.\nASN hosts 3376589 domains.\nGEO IP information: City \"San Francisco\", Country \"United States\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-22T00:00:00", "id": "RST:CACEBF2A-7708-3CCC-A1E6-CE37971491CD", "href": "", "published": "2021-02-26T00:00:00", "title": "RST Threat feed. IOC: 165.232.137.165", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **lines[.]herominers.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:7DA11727-7708-3C26-B10F-5AA9510C0E92", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: lines.herominers.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **ftp0[.]binance.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-11-06T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-11-06T00:00:00", "id": "RST:1A41EC93-7708-3708-85E2-12E70C2377DA", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: ftp0.binance.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **equihash[.]nosekefik.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:0451A618-7708-3E29-AB07-AAE72B36B74F", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: equihash.nosekefik.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **0[.]0.0.0 arev.fix.btcc.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **20**.\n First seen: 2021-02-23T03:00:00, Last seen: 2021-02-23T03:00:00.\n IOC tags: **cryptomining**.\nWhois:\n Created: 1995-06-02 04:00:00, \n Registrar: Namecom Inc, \n Registrant: unknown.\nIOC could be a **False Positive** (Domain not resolved, but Whois records found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-23T00:00:00", "id": "RST:FC2CA600-7708-3860-817F-23889A22D602", "href": "", "published": "2021-02-23T00:00:00", "title": "RST Threat feed. IOC: 0.0.0.0 arev.fix.btcc.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **0[.]0.0.0 gmf.bw.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **20**.\n First seen: 2021-02-23T03:00:00, Last seen: 2021-02-23T03:00:00.\n IOC tags: **cryptomining**.\nWhois:\n Created: 1993-06-20 23:00:00, \n Registrar: GoDaddycom LLC, \n Registrant: Not Available From Registry.\nIOC could be a **False Positive** (Domain not resolved, but Whois records found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-23T00:00:00", "id": "RST:66D355B7-7708-30C1-BB19-5DCAB69D0646", "href": "", "published": "2021-02-23T00:00:00", "title": "RST Threat feed. IOC: 0.0.0.0 gmf.bw.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **0[.]0.0.0 assetinstant.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-02-23T03:00:00, Last seen: 2021-02-23T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-23T00:00:00", "id": "RST:8C564D6E-7708-3565-B26D-C0A84DEFEC2D", "href": "", "published": "2021-02-23T00:00:00", "title": "RST Threat feed. IOC: 0.0.0.0 assetinstant.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-20T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **ko-chidendou[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-02-20T03:00:00.\n IOC tags: **spam**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:6B22D037-7708-37B2-94EB-F22F4F2AF083", "href": "", "published": "2021-02-21T00:00:00", "title": "RST Threat feed. IOC: ko-chidendou.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-20T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **http://222[.]137.210.27:43827/bin.sh** in [RST Threat Feed](https://rstcloud.net/profeed) with score **66**.\n First seen: 2021-02-20T03:00:00, Last seen: 2021-02-20T03:00:00.\n IOC tags: **malware**.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-20T00:00:00", "id": "RST:E528C3D4-7708-3BC9-9BBA-D2A3032249CF", "href": "", "published": "2021-02-20T00:00:00", "title": "RST Threat feed. IOC: http://222.137.210.27:43827/bin.sh", "type": "rst", "cvss": {}}], "ics": [{"lastseen": "2021-02-27T19:48:01", "bulletinFamily": "info", "cvelist": ["CVE-2021-22667"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.8**\n * **ATTENTION:** Exploitable remotely/low skill level to exploit\n * **Vendor: **Advantech\n * **Equipment:** BB-ESWGP506-2SFP-T\n * **Vulnerability: **Use of Hard-coded Credentials\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information and execute arbitrary code.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following Advantech products are affected:\n\n * BB-ESWGP506-2SFP-T industrial ethernet switches: Versions 1.01.09 and prior\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [USE OF HARD-CODED CREDENTIALS CWE-798](<https://cwe.mitre.org/data/definitions/798.html>)\n\nThe affected product is vulnerable due to the use of hard-coded credentials, which may allow an attacker to gain unauthorized access and permit the execution of arbitrary code. \n\n[CVE-2021-22667](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22667>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Multiple Sectors\n * **COUNTRIES/AREAS DEPLOYED: **East Asia, United States, Europe\n * **COMPANY HEADQUARTERS LOCATION: **Taiwan\n\n### 3.4 RESEARCHER\n\nAn anonymous researcher working with Trend Micro\u2019s Zero Day Initiative reported this vulnerability to CISA.\n\n## 4\\. MITIGATIONS\n\nAdvantech no longer sells or maintains BB-ESWGP506-2SFP-T and considers it to be an end-of-life product.\n\nAdvantech recommends users replace the device with a succeeding model such as EKI-7708-4FPI.\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target this vulnerability. \n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-054-02>); we'd welcome your feedback.\n", "modified": "2021-02-23T00:00:00", "published": "2021-02-23T00:00:00", "id": "ICSA-21-054-02", "href": "https://www.us-cert.gov/ics/advisories/icsa-21-054-02", "type": "ics", "title": "Advantech BB-ESWGP506-2SFP-T", "cvss": {"score": 0.0, "vector": "NONE"}}]}
