Squid httpd acceleration acl bug enables portscanning

[Paul Nasrat <pnasrat () uk now com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Security Advisory: NASR-2001-001 <pnasrat () uk now com>
Date: 18 July 2001

Summary:

Squid can be used to proxy and also portscan if set up as a httpd
accelerator (reverse proxy).

Versions Affected:

2.3STABLE3 and 2.3STABLE4 unpatched 

This includes the RedHat 7.0 squid, but not RedHat 6.2 or 7.1 - 
vendors basing their RPMS on RedHat 7.0 are advised to check and 
apply the patch from the squid site.  Debian uses 2.2 and 2.4 so 
is unaffected.

Description of problem:

Squid has a known bug in 2.3STABLE4 which ignores acl's in httpd_accel
mode.  Note this is only if in httpd_accel_host is set and
httpd_accel_with_proxy off is set.  This is not the default
configuration so it is not vulnerable without making these configuration
changes.

This enables portscanning via squid running in this mode
potentially allowing remote attackers to comprimise machines through 
a squid set up this way.

I discovered this whilst doing a security test on a variety of configs
and later confirmed it from the squid site below:

http://www.squid-cache.org/Versions/v2/2.3/bugs/

Steps to Reproduce:

1. Set squid to httpd_accel mode, with a particular host and strict
   acl's

2. export httpd_proxy="http://squid-server:port";


3. lynx http://victim:port/

Actual Results:  You get a http 200 code if the port is open and
sometimes a response with some services SSH, SMTP, etc

Expected Results:  Should be access denied (403)

Discussion:

Proxies have often been used in anonymizing attacks on http, but as more sites uuse reverse proxying as a method of 
distributing their network load and load balancing requests there is the possibility that malicious users could gain 
proxied access or internal information via them.  I attach a sample squid.conf and a sample perl portmapper taking 
advantage of this bug.  Squid will log you running this so it isn't anonymous, and the task of discovering accelerated 
sites automatically is left as an exercise for the reader.

Solution:  

Squid are aware of this bug and have a patch on their site.

RedHat, Immunix and others have been notified and updates
are imminent later today.  

Consider using additional security measures such as a
squid redirector, packet filtering, etc.  

Paul Nasrat

- -- 
"we apologise for any inconvenience" - God's Last Message to His Creation
Courtesy of Douglas Adams
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7VbucnB2rnqD9/ooRAlM2AJ4xXtjoiLpMH9PwWbh6d1KPQzTxOACgoTRA
5iTMflCCdMGKDMW8+NowgzI=
=lohz
-----END PGP SIGNATURE-----

Attachment: squid.conf
Description:

Attachment: squidmap
Description: