Contact Us
AdSubtract Proxy ACL Bypass Vulnerability
- URL: http://www.secureworks.com/research/threats/adsubtract-proxy
- Date: June 4, 2003
- Author: Joe Stewart
About AdSubtract
AdSubtract is one of the leading products in the banner-ad blocking software market. It is frequently bundled with modems from several leading manufacturers and has an estimated installed user base in the millions.
Impact
Medium; unauthorized users may proxy from any origin to any destination, including reverse connections back into the LAN. Attackers may be able to access protected intranet documents or port scan internal machines. Although the CONNECT method is not supported by AdSubtract, SecureWorks was able to confirm the risk of abuse of AdSubtract proxies by spammers to proxy SMTP connections using other methods.
Vendor
interMute, Inc.
Product
AdSubtract/AdSubtract Pro
Versions
2.55 and below
Description
AdSubtract is a proxy server designed to block pop-ups, banner ads, animations, sounds and unwanted cookies. It typically runs as a service on the computer for which it is acting as a proxy, although it can be configured to act as a proxy server for an entire LAN. By default it listens for proxy connections on port 4444 and 11523 on all interfaces, but has access control so that only localhost (127.0.0.1) can use the service by default.
Due to a design flaw, the access-control mechanism can be fooled into passing traffic for any source. An attacker can set up a PTR record for a host in the attacker's domain using a hostname such as "127.0.0.1.example.com". The AdSubtract server will do reverse DNS resolution on the IP address and will mistakenly authorize the connection based on finding the string "127.0.0.1" in the hostname.
Logging of http requests is turned off by default, so no record of any abuse will be found on the system being attacked.
Vendor Status
Vendor was notified on May 5, 2003. Confirmation of the notification was received but no further response was given, despite several emails sent inquiring on the status of an updated version.
Solution
At the time of this release the vendor has not provided an updated version of the software to fix the vulnerability. Therefore it is our recommendation to remove AdSubtract from any computer directly connected to the Internet.
Sites who use proxy testing software to deny connections from open proxies may want to include the conditions for this ACL bypass in their test parameters.
