[UNIX] Squid Buffer Overflow (FTP)
From: support@securiteam.comDate: 03/02/02
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sat, 2 Mar 2002 17:52:51 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Squid Buffer Overflow (FTP)
------------------------------------------------------------------------
SUMMARY
Squid, http://www.squid-cache.org/, is a commonly used web proxy/cache
server. There is a buffer overflow in the code that parses FTP requests. A
certain kind of FTP request causes a Squid child process to core dump, and
repeating such requests makes the server unusable. Exploiting the flaw to
gain shell access on the proxy server does not seem trivial, but may be
possible. A remote attacker might gain root access on the server this way.
In order to carry out these attacks, the attacker needs to be allowed to
use the server by its configuration.
DETAILS
Vulnerable systems:
Squid versions 2.3 and 2.4
The flaw is located in ftp.c, function ftpBuildTitleUrl(). When building
an URL, the program first calculates the space needed:
len = 64
+ strlen(ftpState->user)
+ strlen(ftpState->password)
+ strlen(request->host)
+ strLen(request->urlpath);
Then it allocates memory:
t = ftpState->base_href = xcalloc(len, 1);
Then puts together the URL string with strcat:
strcat(t, "ftp://");
if (strcmp(ftpState->user, "anonymous")) {
strcat(t, rfc1738_escape_part(ftpState->user));
if (ftpState->password_url) {
strcat(t, ":");
strcat(t, rfc1738_escape_part(ftpState->password));
}
strcat(t, "@");
}
strcat(t, request->host);
if (request->port != urlDefaultPort(PROTO_FTP))
snprintf(&t[strlen(t)], len - strlen(t), ":%d", request->port);
strcat(t, strBuf(request->urlpath));
strcat(t, "/");
At first look this seems ok, but there is a problem with the use of
rfc1738_escape_part() which returns the parameter string URL-escaped
("%xy" notation). Its return string may be three times as long as the
parameter. The FTP username and password are escaped, so an FTP request
with a sufficiently long username and password consisting of special
characters causes the above code to run out of space and write beyond the
malloc'ed memory area.
In other words, the memory is allocated according to the unescaped string
length, but the possibly longer URL-escaped string is copied to it.
Exploiting:
A denial of service attack against the server requires only sending an FTP
request with a username and password like described above. Exploiting the
flaw to run arbitrary code is another story. The exploit details depend on
the malloc() implementation of the operating system.
On Linux, some malloc chunk structures can be overwritten with the URL
path. It looks like the string may contain binary data (except null bytes
and probably white spaces) so it does not restrict the exploit. With
different kinds of usernames, passwords, and URLs the program crashes in
different points of libc's malloc/free functions, which suggests that the
problem may be exploitable in the similar very as e.g. the "traceroute -g
-g" flaw. The possible exploit is not a matter of cut'n'paste however. By
default, Squid does not drop root privilege completely and thus the
attacker would gain root shell access. It will drop the privilege only if
the chroot option has been used in squid.conf. In that case, the attacker
would get a shell running as the squid user (or what ever has been defined
in the configuration).
Solution:
Squid developers were contacted on Saturday Feb 16. They produced and sent
a patch to correct the flaw in less than 3 hours. There is a patch and an
updated package (also addressing two other security issues) on the Squid
website. For more information, see the advisory at:
<http://www.squid-cache.org/Advisories/SQUID-2002_1.txt>
http://www.squid-cache.org/Advisories/SQUID-2002_1.txt
ADDITIONAL INFORMATION
The information has been provided by <mailto:jouko@solutions.fi> Jouko
Pynnonen.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
