Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   AdSubtract Vendors:   interMute, Inc.
AdSubtract Access Control Flaw Lets Remote Users Connect to Arbitrary Hosts Via the Application
SecurityTracker Alert ID:  1006925
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 5 2003
Impact:   Host/resource access via network
Exploit Included:  Yes  
Version(s): 2.55 and prior versions
Description:   A vulnerability was reported in the AdSubtract banner ad blocking software. A remote user can make arbitrary connections through the application.

LURHQ Corporation reported that a remote user can bypass access controls intended to restrict access to the 'localhost' interface. A remote user can connect to the application on port 4444 or 11523 if the remote user has a domain name that reverse resolves to '[domain]' (or another name that includes the string ''). AdSubtract will reportedly perform a reverse DNS lookup on the IP address of the connecting remote user and conclude that the connection is originating from (the localhost), permitting the connection as a result.

It is also reported that the application does not log HTTP requests by default.

The vendor has reportedly been notified (on May 5, 2003).

Impact:   A remote user can connect to arbitrary hosts via the application. In the default configuration, the connections will not be logged.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-Disclosure] AdSubtract Proxy ACL Bypass Vulnerability

AdSubtract Proxy ACL Bypass Vulnerability


Release Date
June 4, 2003

Joe Stewart

About AdSubtract
AdSubtract is one of the leading products in the banner-ad blocking
software market. It is frequently bundled with modems from several
leading manufacturers and has an estimated installed user base in the

Medium; unauthorized users may proxy from any origin to any destination,
including reverse connections back into the LAN. Attackers may be able
to access protected intranet documents or portscan internal machines.
Although the CONNECT method is not supported by AdSubtract, LURHQ was
able to confirm the risk of abuse of AdSubtract proxies by spammers to
proxy SMTP connections using other methods.

interMute, Inc.

AdSubtract/AdSubtract Pro

2.55 and below

AdSubtract is a proxy server designed to block pop-ups, banner ads,
animations, sounds and unwanted cookies. It typically runs as a service
on the computer for which it is acting as a proxy, although it can be
configured to act as a proxy server for an entire LAN. By default it
listens for proxy connections on port 4444 and 11523 on all interfaces,
but has access control so that only localhost ( can use the
service by default.

Due to a design flaw, the access-control mechanism can be fooled into
passing traffic for any source. An attacker can set up a PTR record for
a host in the attacker's domain using a hostname such as
"". The AdSubtract server will do reverse DNS
resolution on the IP address and will mistakenly authorize the
connection based on finding the string "" in the hostname.

Logging of http requests is turned off by default, so no record of any
abuse will be found on the system being attacked.

Vendor Status
Vendor was notified on May 5, 2003. Confirmation of the notification
was received but no further response was given, despite several emails
sent inquiring on the status of an updated version.

At the time of this release the vendor has not provided an updated
version of the software to fix the vulnerability. Therefore it is our
recommendation to remove AdSubtract from any computer directly
connected to the Internet.

Sites who use proxy testing software to deny connections from open
proxies may want to include the conditions for this ACL bypass in their
test parameters.

About LURHQ Corporation
LURHQ Corporation is the trusted provider of Managed Security Services.
Founded in 1996, LURHQ has built a strong business protecting the
critical information assets of more than 400 customers by offering
managed intrusion prevention and protection services. LURHQ's 24X7
Incident Handling capabilities enable customers to enhance their
security posture while reducing the costs of managing their security
environments. LURHQ's OPEN Service Delivery methodology facilitates a
true partnership with customers by providing a real time view of the
organization's security status via the Sherlock Enterprise Security
Portal. For more information visit

Copyright (c) 2003 LURHQ Corporation Permission is hereby granted for
the redistribution of this document electronically. It is not to be
altered or edited in any way without the express written consent of
LURHQ Corporation. If you wish to reprint the whole or any part of this
document in any other medium excluding electronic media, please e-mail for permission.

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties implied or otherwise with regard to this information.
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use or spread of this

Updates and/or comments to:
LURHQ Corporation

Full-Disclosure - We believe in it.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC