Squid buffer overflow

[Jouko Pynnonen <jouko () solutions fi>]

OVERVIEW

Squid, http://www.squid-cache.org/, is a commonly used web proxy/cache
server. There is a buffer overflow in the code that parses FTP requests.
A certain kind of FTP request causes a Squid child process to coredump,
and repeating such requests makes the server unusable. Exploiting the
flaw to gain shell access on the proxy server doesn't seem trivial, but
may be possible. A remote attacker might gain root access on the server
this way. In order to carry out these attacks, the attacker needs to be
allowed to use the server by its configuration. Squid versions 2.3 and 2.4
are vulnerable.



DETAILS

The flaw is located in ftp.c, function ftpBuildTitleUrl(). When building
an URL, the program first calculates the space needed:

     len = 64
         + strlen(ftpState->user)
         + strlen(ftpState->password)
         + strlen(request->host)
         + strLen(request->urlpath);


Then it allocates memory:

     t = ftpState->base_href = xcalloc(len, 1);


And then puts together the URL string with strcat:

     strcat(t, "ftp://";);
     if (strcmp(ftpState->user, "anonymous")) {
         strcat(t, rfc1738_escape_part(ftpState->user));
         if (ftpState->password_url) {
             strcat(t, ":");
             strcat(t, rfc1738_escape_part(ftpState->password));
         }
         strcat(t, "@");
     }
     strcat(t, request->host);
     if (request->port != urlDefaultPort(PROTO_FTP))
         snprintf(&t[strlen(t)], len - strlen(t), ":%d", request->port);
     strcat(t, strBuf(request->urlpath));
     strcat(t, "/");


On the first look this seems ok, but there's a problem with the use of
rfc1738_escape_part() which returns the parameter string URL-escaped
("%xy" notation). Its return string may be three times as long as the
parameter. The FTP username and password are escaped, so an FTP request
with a sufficiently long username and password consisting of special
characters causes the above code to run out of space and write beyond the
malloc'ed memory area.

In other words, the memory is allocated according to the unescaped string
length, but the possibly longer URL-escaped string is copied to it.



EXPLOITING

A denial of service attack against the server requires only sending an
FTP request with a username and password like described above. Exploiting
the flaw to run arbitrary code is another story. The exploit details
depend on the malloc() implementation of the operating system.

On Linux, some malloc chunk structures can be overwritten with the URL
path. It looks like the string may contain binary data (except null bytes
and probably whitespaces) so it doesn't restrict the exploit. With
different kinds of usernames, passwords, and URLs the program crashes in
different points of libc's malloc/free functions, which suggests that the
problem may be exploitable in the similar way as e.g. the "traceroute -g
-g" flaw. The possible exploit isn't a matter of cut'n'paste however.

By default, Squid doesn't drop root privilege completely and thus the
attacker would gain root shell access. It will drop the privilege only if
the chroot option has been used in squid.conf. In that case the attacker
would get a shell running as the squid user (or what ever has been defined
in the configuration).



SOLUTION

Squid developers were contacted on Saturday Feb 16. They produced and
sent me a patch to correct the flaw in less than 3 hours. There is a
patch and an updated package (also addressing two other security issues)
on the Squid website. For more information, see the advisory at

  http://www.squid-cache.org/Advisories/SQUID-2002_1.txt




CREDITS

The vulnerability was found by Jouko Pynnönen of Online Solutions Ltd.
Thanks to Henrik Nordstrom <hno () squid-cache org> for a very timely
response.




-- 
Jouko Pynnonen          Online Solutions Ltd      Secure your Linux -
jouko () solutions fi                                http://www.secmod.com