8042190 2002-02-22 16:26 +0200 /118 rader/ Jouko Pynnonen <jouko@solutions.fi>
Sänt av: joel@lysator.liu.se
Importerad: 2002-02-22 21:49 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21103>
Ärende: Squid buffer overflow
------------------------------------------------------------
From: Jouko Pynnonen <jouko@solutions.fi>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0202211243440.23074-100000@lissu.solutions.fi>
OVERVIEW
Squid, http://www.squid-cache.org/, is a commonly used web
proxy/cache server. There is a buffer overflow in the code that
parses FTP requests. A certain kind of FTP request causes a Squid
child process to coredump, and repeating such requests makes the
server unusable. Exploiting the flaw to gain shell access on the
proxy server doesn't seem trivial, but may be possible. A remote
attacker might gain root access on the server this way. In order to
carry out these attacks, the attacker needs to be allowed to use the
server by its configuration. Squid versions 2.3 and 2.4 are
vulnerable.
DETAILS
The flaw is located in ftp.c, function ftpBuildTitleUrl(). When
building an URL, the program first calculates the space needed:
len = 64
+ strlen(ftpState->user)
+ strlen(ftpState->password)
+ strlen(request->host)
+ strLen(request->urlpath);
Then it allocates memory:
t = ftpState->base_href = xcalloc(len, 1);
And then puts together the URL string with strcat:
strcat(t, "ftp://");
if (strcmp(ftpState->user, "anonymous")) {
strcat(t, rfc1738_escape_part(ftpState->user));
if (ftpState->password_url) {
strcat(t, ":");
strcat(t, rfc1738_escape_part(ftpState->password));
}
strcat(t, "@");
}
strcat(t, request->host);
if (request->port != urlDefaultPort(PROTO_FTP))
snprintf(&t[strlen(t)], len - strlen(t), ":%d", request->port);
strcat(t, strBuf(request->urlpath));
strcat(t, "/");
On the first look this seems ok, but there's a problem with the use
of rfc1738_escape_part() which returns the parameter string
URL-escaped ("%xy" notation). Its return string may be three times as
long as the parameter. The FTP username and password are escaped, so
an FTP request with a sufficiently long username and password
consisting of special characters causes the above code to run out of
space and write beyond the malloc'ed memory area.
In other words, the memory is allocated according to the unescaped
string length, but the possibly longer URL-escaped string is copied
to it.
EXPLOITING
A denial of service attack against the server requires only sending
an FTP request with a username and password like described
above. Exploiting the flaw to run arbitrary code is another
story. The exploit details depend on the malloc() implementation of
the operating system.
On Linux, some malloc chunk structures can be overwritten with the
URL path. It looks like the string may contain binary data (except
null bytes and probably whitespaces) so it doesn't restrict the
exploit. With different kinds of usernames, passwords, and URLs the
program crashes in different points of libc's malloc/free functions,
which suggests that the problem may be exploitable in the similar way
as e.g. the "traceroute -g
-g" flaw. The possible exploit isn't a matter of cut'n'paste however.
By default, Squid doesn't drop root privilege completely and thus the
attacker would gain root shell access. It will drop the privilege
only if the chroot option has been used in squid.conf. In that case
the attacker would get a shell running as the squid user (or what
ever has been defined in the configuration).
SOLUTION
Squid developers were contacted on Saturday Feb 16. They produced and
sent me a patch to correct the flaw in less than 3 hours. There is a
patch and an updated package (also addressing two other security
issues) on the Squid website. For more information, see the advisory
at
http://www.squid-cache.org/Advisories/SQUID-2002_1.txt
CREDITS
The vulnerability was found by Jouko Pynnönen of Online Solutions Ltd.
Thanks to Henrik Nordstrom <hno@squid-cache.org> for a very timely
response.
--
Jouko Pynnonen Online Solutions Ltd Secure your Linux -
jouko@solutions.fi http://www.secmod.com
(8042190) /Jouko Pynnonen <jouko@solutions.fi>/(Ombruten)