OVERVIEW Squid, http://www.squid-cache.org/, is a commonly used web proxy/cache server. There is a buffer overflow in the code that parses FTP requests. A certain kind of FTP request causes a Squid child process to coredump, and repeating such requests makes the server unusable. Exploiting the flaw to gain shell access on the proxy server doesn't seem trivial, but may be possible. A remote attacker might gain root access on the server this way. In order to carry out these attacks, the attacker needs to be allowed to use the server by its configuration. Squid versions 2.3 and 2.4 are vulnerable. DETAILS The flaw is located in ftp.c, function ftpBuildTitleUrl(). When building an URL, the program first calculates the space needed: len = 64 + strlen(ftpState->user) + strlen(ftpState->password) + strlen(request->host) + strLen(request->urlpath); Then it allocates memory: t = ftpState->base_href = xcalloc(len, 1); And then puts together the URL string with strcat: strcat(t, "ftp://"); if (strcmp(ftpState->user, "anonymous")) { strcat(t, rfc1738_escape_part(ftpState->user)); if (ftpState->password_url) { strcat(t, ":"); strcat(t, rfc1738_escape_part(ftpState->password)); } strcat(t, "@"); } strcat(t, request->host); if (request->port != urlDefaultPort(PROTO_FTP)) snprintf(&t[strlen(t)], len - strlen(t), ":%d", request->port); strcat(t, strBuf(request->urlpath)); strcat(t, "/"); On the first look this seems ok, but there's a problem with the use of rfc1738_escape_part() which returns the parameter string URL-escaped ("%xy" notation). Its return string may be three times as long as the parameter. The FTP username and password are escaped, so an FTP request with a sufficiently long username and password consisting of special characters causes the above code to run out of space and write beyond the malloc'ed memory area. In other words, the memory is allocated according to the unescaped string length, but the possibly longer URL-escaped string is copied to it. EXPLOITING A denial of service attack against the server requires only sending an FTP request with a username and password like described above. Exploiting the flaw to run arbitrary code is another story. The exploit details depend on the malloc() implementation of the operating system. On Linux, some malloc chunk structures can be overwritten with the URL path. It looks like the string may contain binary data (except null bytes and probably whitespaces) so it doesn't restrict the exploit. With different kinds of usernames, passwords, and URLs the program crashes in different points of libc's malloc/free functions, which suggests that the problem may be exploitable in the similar way as e.g. the "traceroute -g -g" flaw. The possible exploit isn't a matter of cut'n'paste however. By default, Squid doesn't drop root privilege completely and thus the attacker would gain root shell access. It will drop the privilege only if the chroot option has been used in squid.conf. In that case the attacker would get a shell running as the squid user (or what ever has been defined in the configuration). SOLUTION Squid developers were contacted on Saturday Feb 16. They produced and sent me a patch to correct the flaw in less than 3 hours. There is a patch and an updated package (also addressing two other security issues) on the Squid website. For more information, see the advisory at http://www.squid-cache.org/Advisories/SQUID-2002_1.txt CREDITS The vulnerability was found by Jouko Pynnönen of Online Solutions Ltd. Thanks to Henrik Nordstrom <hno@squid-cache.org> for a very timely response. -- Jouko Pynnonen Online Solutions Ltd Secure your Linux - joukoat_private http://www.secmod.com
This archive was generated by hypermail 2b30 : Fri Feb 22 2002 - 12:46:31 PST