With permission from a client I was allowed to divulge a minor vulnerability in an unknown load balancer. I was asked to do some testing on their servers exposed to the Internet, they wanted to know how do they look like from the h^Hcracker's point of view. I think from now on I will call these type of tests 'black box reconnaissance' since I do not have prior knowledge of their internal network.
They have the usual stuff like a firewall which sends a RST to a blacklisted host. I have custom tests for web servers and I accidentally found a vulnerability in their load balancer, my client does not want to disclose the brand or make of the load balancer.
Apparently requesting over HTTP 1.0 without a trailing slash reveals the internal IP addresses of the web servers.
Testing: HTTP 1.0 without trailing slash
-- HEAD /portal HTTP/1.0
HTTP/1.1 301 Moved Permanently
Date: Tue, 15 Jan 2008 09:59:57 GMT
Server: Apache
Location: http://192.168.1.2/portal/
Connection: close
Content-Type: text/html; charset=iso-8859-1
-- HEAD /portal HTTP/1.0
HTTP/1.1 301 Moved Permanently
Date: Tue, 15 Jan 2008 09:59:57 GMT
Server: Apache
Location: http://192.168.1.4/portal/
Connection: close
Content-Type: text/html; charset=iso-8859-1
-- HEAD /portal HTTP/1.0
HTTP/1.1 301 Moved Permanently
Date: Tue, 15 Jan 2008 09:59:57 GMT
Server: Apache
Location: http://192.168.1.3/portal/
Connection: close
Content-Type: text/html; charset=iso-8859-1
Testing: HTTP 1.0 with trailing slash
-- HEAD /portal/ HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 15 Jan 2008 10:00:14 GMT
Server: Apache
Connection: close
Content-Type: text/html
Testing: HTTP 1.1 without trailing slash
-- HEAD /portal HTTP/1.1
-- HOST: example.com
HTTP/1.1 301 Moved Permanently
Date: Tue, 15 Jan 2008 10:00:43 GMT
Server: Apache
Location: http://example.com/portal/
Connection: close
Content-Type: text/html; charset=iso-8859-1
Testing: HTTP 1.1 with trailing slash
-- HEAD /portal/ HTTP/1.1
-- HOST: example.com
HTTP/1.1 200 OK
Date: Tue, 15 Jan 2008 10:01:00 GMT
Server: Apache
Connection: close
Content-Type: text/html
Microsoft IIS had a similar security vulnerability, Internet Information Server returns IP address in HTTP header (Content-Location):
This header may expose internal IP addresses that are typically hidden or masked behind a Network Address Translation (NAT) Firewall or a proxy server. Example:
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Content-Location: http://10.1.1.1/Default.htm
Date: Thu, 18 Feb 1999 14:03:52 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 06 Jan 1999 18:56:06 GMT
ETag: "067d136a639be1:15b6"
Content-Length: 4325
In this example, the Content-Location specifies the private internal address of the IIS computer in the header. This header is then unchanged when it passes through a firewall or proxy server. Therefore, the security of the internal network may be compromised by exposing the network addresses that are being used.
A fellow in the Full-Disclosure mailing list said he have seen this in F5 BIG-IP and IIS. Unfortunately I do not have access to a BIG-IP anymore so I can not confirm myself.
