Squid proxy
# Exploit Title: Squid URL Filtering Bypass
# Date: 16/04/2012
# Author: Gabriel Menezes Nunes
# Version: Squid Proxy
# Tested on: Squid Proxy 3.1.19
# CVE: CVE-2012-2213
I found a vulnerability in Squid Proxy that allows access to filtered sites.
The software believes in the Host field of HTTP Header using CONNECT method.
On 16 Apr 2012, at 23:11, Gabriel Menezes Nunes wrote:
> # Exploit Title: Squid URL Filtering Bypass
> # Date: 16/04/2012
> # Author: Gabriel Menezes Nunes
> # Version: Squid Proxy
> # Tested on: Squid Proxy 3.1.19
> # CVE: CVE-2012-2213
>
>
> I found a vulnerability in Squid Proxy that allows access to filtered sites.
What I understand from the advisory is the Squid proxy is basing its
filtering on the Host header when present, even for the CONNECT
command which doesn't allow this header at all as it makes no sense. I
haven't confirmed the bug but what's being described is definitely a
vulnerability.
There's also a small misconception in what you said. The proxy will
see the entire CONNECT request, headers and all - after the request
headers there'll be a pair of newlines, and only *then* the remaining
data is tunneled transparently. So it's the second request's headers
translation of the HTTP methods) .
Sorry for the misunderstanding.
SSL CONNECT Translation Attack (Hostname to IP address):
McAfee Web Gateway 7: Vulnerable
Squid Proxy: Vulnerable
GET TO CONNECT Translation Attack:
McAfee Web Gateway 7: Vulnerable
Squid Proxy: Not Vulnerable
Sent: Thursday, April 19, 2012 10:03 AM
To: Richard Barrett
Cc: Gabriel Menezes Nunes; bugtraq
Subject: Re: Squid URL Filtering Bypass
What I understand from the advisory is the Squid proxy is basing its filtering on the Host header when present, even for the CONNECT command which doesn't allow this header at all as it makes no sense. I haven't confirmed the bug but what's being described is definitely a vulnerability.
There's also a small misconception in what you said. The proxy will see the entire CONNECT request, headers and all - after the request headers there'll be a pair of newlines, and only *then* the remaining data is tunneled transparently. So it's the second request's headers that the proxy won't see.
On Wed, Apr 18, 2012 at 7:46 PM, Richard Barrett <r.barrett@openinfo.co.uk> wrote:
>
> On 16 Apr 2012, at 23:11, Gabriel Menezes Nunes wrote:
>
>> # Exploit Title: Squid URL Filtering Bypass
>> # Date: 16/04/2012
>> # Author: Gabriel Menezes Nunes
>> # Version: Squid Proxy
>> # Tested on: Squid Proxy 3.1.19
>> # CVE: CVE-2012-2213
>>
>>
>> I found a vulnerability in Squid Proxy that allows access to filtered sites.
On 17/04/2012 10:11 a.m., Gabriel Menezes Nunes wrote:
> # Exploit Title: Squid URL Filtering Bypass
> # Date: 16/04/2012
> # Author: Gabriel Menezes Nunes
> # Version: Squid Proxy
> # Tested on: Squid Proxy 3.1.19
> # CVE: CVE-2012-2213
>
>
> I found a vulnerability in Squid Proxy that allows access to filtered sites.
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2007:2
__________________________________________________________________
Advisory ID: SQUID-2007:2
Date: November 27, 2007
Summary: Denial of service in cache updates
Affected versions: Squid 2.X (2.0 -> 2.6.STABLE16); Squid-3.
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2009:1
__________________________________________________________________
Advisory ID: SQUID-2009:1
Date: February 02, 2009
Summary: Denial of service in request processing
Affected versions: Squid 2.7 -> 2.7.STABLE5,
Squid 3.0 -> 3.0.STABLE12,
====[ SYNOPSIS ]=====================================================
VideoCache is a Squid URL rewriter plugin written in Python for
bandwidth optimization while browsing video sharing websites. Version
1.9.2 allows a user with the privileges of the Squid proxy server to
append semi-arbitrary data to arbitrary files with root privileges, upon
the administrator's execution of the 'vccleaner' utility.
====[ DISCUSSION ]===================================================
& AMG-2000 Manual v2.0, Jun-13-2007
Vulnerability overview:
-----------------------
AMG-2000 uses an internal Squid proxy to restrict access to the wireless LAN
or Internet, e.g. by supplying a username/password on the portal site (depends
on how the system is configured, e.g. on-demand "guest" users or
authentication via RADIUS, LDAP or NT domain). This built-in proxy is
misconfigured which leads to the following vulnerability:
Problem Description:
A stack-based buffer overflow in sarg (Squid Analysis Report Generator)
allowed remote attackers to execute arbitrary code via a long Squid
proxy server User-Agent header (CVE-2008-1167).
A cross-site scripting vulnerability in sarg version 2.x prior to
2.2.5 allowed remote attackers to inject arbitrary web script or
HTML via the User-Agent heder, which is not properly handled when
displaying the Squid proxy log (CVE-2008-1168).
|
