[12420] in bugtraq
[squid] exploit for external authentication problem
daemon@ATHENA.MIT.EDU (Oezguer Kesim)
Wed Nov 3 15:51:29 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991103134527.A25102@knuth.codeblau.de>
Date: Wed, 3 Nov 1999 13:45:27 +0100
Reply-To: Oezguer Kesim <oec@CODEBLAU.DE>
From: Oezguer Kesim <oec@CODEBLAU.DE>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991025203036.A1366@kesim.dialup.fu-berlin.de>; from Oezguer
Kesim on Mon, Oct 25 1999 at 14:30:36AM +0200
Holla,
since some people asked how to exploit the squid bug, I send a description
along.
Assumptions:
~~~~~~~~~~~~
1.) You use plain squid-2.2-STABLE5 or below. Also, external authentification
is active using a some external authentication program, which basically
follows the implementation guidelines given on the squid-webpages.
2.) Your ACL's for external authentication apply often enough so that external
authentificatoin actually happens maybe every 20 seconds to 20 minutes.
This also depends on your password-cache settings.
3.) In general, users enter correct user:password pairs.
4.) No other user has sent a user:passwd pair with a newline at the end to
the proxy until now (so we can acctually describe the effect when it
occurs the first time).
The exploit:
~~~~~~~~~~~~
1.) Create a base64-encoded "user:passwd\n" string, f.e.:
# echo "foo:bar" | mimencode
# Zm9vOmJhcgo=
Note that
# echo -n "foo:bar" | mimencode
(notice the -n option!) will strip the trailing newline and can't be used.
The newline at the end is essential for the exploit, since most external
authenticators will read _two_ lines from the proxy and sent _two_ results
back to the proxy, shifting all subsquent responses to authentication
request by one.
2.) telnet to your proxy and sent a valid but not authorized request (lines
marked with a * are your input lines):
# telnet proxy 8080
Trying 123.123.123.123
Connected to proxy.home.net
Escape character is '^]'
* GET http://some.domain.net HTTP/1.0
* Proxy-Authorization: Basic Zm9vOmJhcgo=
*
Please notice the last extra newline needed for the Protocol (it has
nothing to do with the exploit, though).
An ACL must match the given domain (here, some.domain.net), which uses the
external authentication program.
3.) You will see the response for you user:passwd pair and due to assumption
4.), this answer is accurate.
Now, wait. Once a different user sents his user:password pair -- which in
turn is correct in general as stated in assumption 3.) -- he will get the
authentication response of _your_ empty line and most probably will be a
HTTP/1.0 407 Proxy Authentication Required answer, but then, the user will
try again and... get the _correct_ answer of his or her _first_ try.
Now, the second answer (which most probably will be OK) is pending!
4.) Try to connect again with another fake user:password (without extra
newline), most likely using your favorite browser. Now you should profit
from the pending OK in step 3 and get the page you want.
Thats it. Please notice, that when caching is active, you can surf as long
the name:password pair is available in the cache -- which can be quite long.
cheers,
Oezguer Kesim
oec@codeblau.de
