-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Security Advisory: NASR-2001-001 <pnasratat_private> Date: 18 July 2001 Summary: Squid can be used to proxy and also portscan if set up as a httpd accelerator (reverse proxy). Versions Affected: 2.3STABLE3 and 2.3STABLE4 unpatched This includes the RedHat 7.0 squid, but not RedHat 6.2 or 7.1 - vendors basing their RPMS on RedHat 7.0 are advised to check and apply the patch from the squid site. Debian uses 2.2 and 2.4 so is unaffected. Description of problem: Squid has a known bug in 2.3STABLE4 which ignores acl's in httpd_accel mode. Note this is only if in httpd_accel_host is set and httpd_accel_with_proxy off is set. This is not the default configuration so it is not vulnerable without making these configuration changes. This enables portscanning via squid running in this mode potentially allowing remote attackers to comprimise machines through a squid set up this way. I discovered this whilst doing a security test on a variety of configs and later confirmed it from the squid site below: http://www.squid-cache.org/Versions/v2/2.3/bugs/ Steps to Reproduce: 1. Set squid to httpd_accel mode, with a particular host and strict acl's 2. export httpd_proxy="http://squid-server:port" 3. lynx http://victim:port/ Actual Results: You get a http 200 code if the port is open and sometimes a response with some services SSH, SMTP, etc Expected Results: Should be access denied (403) Discussion: Proxies have often been used in anonymizing attacks on http, but as more sites uuse reverse proxying as a method of distributing their network load and load balancing requests there is the possibility that malicious users could gain proxied access or internal information via them. I attach a sample squid.conf and a sample perl portmapper taking advantage of this bug. Squid will log you running this so it isn't anonymous, and the task of discovering accelerated sites automatically is left as an exercise for the reader. Solution: Squid are aware of this bug and have a patch on their site. RedHat, Immunix and others have been notified and updates are imminent later today. Consider using additional security measures such as a squid redirector, packet filtering, etc. Paul Nasrat - -- "we apologise for any inconvenience" - God's Last Message to His Creation Courtesy of Douglas Adams -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7VbucnB2rnqD9/ooRAlM2AJ4xXtjoiLpMH9PwWbh6d1KPQzTxOACgoTRA 5iTMflCCdMGKDMW8+NowgzI= =lohz -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 13:23:03 PDT