How a simple vulnerability allowed proxying TCP traffic - real pentest case During a penetration test for our client, it was discovered that the turn.example.com server, which is part of the tested application infrastructure, is vulnerable. This flaw allows for proxying TCP traffic through the server, enabling attacks on any host on the internet. Additionally, attackers could gain access to internal systems and their configurations, potentially compromising the entire infrastructure.

As an aim in this article is to share expert knowledge, I will discuss two different cases of this vulnerability exploitation.
First case: external system access Obtaining configuration: STUN/TURN server configuration was obtained from WebSocket messages.
Using Stunner tool: the tool was used to test the STUN/TURN server. Initial steps involved gathering basic information about the server.
Configuring SOCKS Proxy: Stunner was then used to set up a SOCKS proxy server to forward TCP traffic through turn.example.com.
Accessing external server: SOCKS proxy server was used to connect to an external server belonging to the auditor. Tools like Proxychains and wget helped in this process.
Observation of HTTP connection: HTTP connection originating from turn.example.com was observed on the auditor’s server.
Second case: internal systems and Azure VM configurations access Preparing a bash script: bash script was prepared to request metadata from an internal URL.
Running the script via proxy: the script was executed using the SOCKS proxy server. Retrieving configuration: Azure VM configuration details were successfully returned. Recommendation from our auditor To prevent such vulnerabilities, the STUN/TURN server configuration should be modified to block the proxying of TCP traffic to arbitrary hosts. Ensuring that the server only processes intended traffic is crucial for maintaining the security and integrity of the application infrastructure. Regular audits and updates to server configurations are recommended to safeguard against similar vulnerabilities in the future.



#CyberSecurity #WebSecurity #PenetrationTesting #InfoSec #DataProtection #PentestChronicles