Skip to main content

How a simple vulnerability allowed proxying TCP traffic - real pentest case

Illustration of How a simple vulnerability allowed proxying TCP traffic - real pentest case
Dariusz Tytko

How a simple vulnerability allowed proxying TCP traffic - real pentest case

During a penetration test for our client, it was discovered that the turn.example.com server, which is part of the tested application infrastructure, is vulnerable. This flaw allows for proxying TCP traffic through the server, enabling attacks on any host on the internet. Additionally, attackers could gain access to internal systems and their configurations, potentially compromising the entire infrastructure.

As an aim in this article is to share expert knowledge, I will discuss two different cases of this vulnerability exploitation.

First case: external system access

Obtaining configuration: STUN/TURN server configuration was obtained from WebSocket messages.

STUN/TURN configuration

Using Stunner tool: the tool was used to test the STUN/TURN server. Initial steps involved gathering basic information about the server.

Stunner tool usage

Configuring SOCKS Proxy: Stunner was then used to set up a SOCKS proxy server to forward TCP traffic through turn.example.com.

SOCKS proxy configuration

Accessing external server: SOCKS proxy server was used to connect to an external server belonging to the auditor. Tools like Proxychains and wget helped in this process.

External server access

Observation of HTTP connection: HTTP connection originating from turn.example.com was observed on the auditor’s server.

HTTP connection observation

Second case: internal systems and Azure VM configurations access

Preparing a bash script: bash script was prepared to request metadata from an internal URL.

Bash script preparation

Running the script via proxy: the script was executed using the SOCKS proxy server.

Script execution via proxy

Retrieving configuration: Azure VM configuration details were successfully returned.

Azure VM configuration

Recommendation from our auditor

To prevent such vulnerabilities, the STUN/TURN server configuration should be modified to block the proxying of TCP traffic to arbitrary hosts. Ensuring that the server only processes intended traffic is crucial for maintaining the security and integrity of the application infrastructure. Regular audits and updates to server configurations are recommended to safeguard against similar vulnerabilities in the future.

Other Insights

Illustration of Exploiting PDF generation vulnerability: a case study from real pentest

Exploiting PDF generation vulnerability: a case study from real pentest

SECURITUM

In a recent penetration test conducted by [Your Security Company], we identified a critical vulnerability within a web application that allowed unauthorized access to sensitive resources. This flaw permits an attacker to access both local server files and data on other servers within the same network. The vulnerability stems from improper handling of user-input data, presenting a severe security risk.

READ article
Illustration of Password reset flaw: when anyone can reset your password

Password reset flaw: when anyone can reset your password

Sebastian Jeż

During rigorous testing, security researchers uncovered a significant weakness in the password reset mechanisms used by numerous online platforms. By exploiting the seemingly harmless phone number field, an attacker can compromise a victim's account. The vulnerability lies in the mishandling of a four-digit code, which, instead of being sent solely to the owner's phone, is also included in the server's response. This oversight turns a seemingly harmless feature into a gateway for hackers to infiltrate users' digital lives.

READ article
A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?

Happy to get a call or email
and help!

Contact Us