Security researchers have detailed a newly discovered flaw in the Squid web proxy that could allow hackers to send a crafted request to the target server, resulting in code execution in the context of the Squid process.
According to a posting on the Zero Day Initiative web site, the flaw affects many versions of the proxy. Affected versions include Squid 4.0.23 to 4.7; due to incorrect buffer management Squid is vulnerable to a heap overflow and possible remote code execution attack when processing HTTP Authentication credentials.
Saran Neti and Sivathmican Sivakumaran of the Trend Micro Research Team said that successful exploitation "will result in the attacker being able to execute arbitrary code with the privileges of the server process while an unsuccessful attack will cause the server process to abnormally terminate."
In a separate advisory, the vulnerability was described as allowing "a malicious client to write a substantial amount of arbitrary data to the heap. Potentially gaining ability to execute arbitrary code.
"On systems with memory access protections this can result in the Squid process being terminated unexpectedly. Resulting in a denial of service for all clients using the proxy. This issue is limited to traffic accessing the Squid Cache Manager reports or using the FTP protocol gateway," the advisory stated.
In a Mitre description of the flaw, when Squid checks basic authentication with HttpHeader::getAuth, it "uses a global buffer to store the decoded data. Squid does not check that the decoded length isn't greater than the buffer, leading to a heap-based buffer overflow with user-controlled data".
Researchers said that following "Authorization: Basic", there is a string of characters, only a portion of which are visible in this fragment.
"When the entire string is base64 decoded, the result overflows the 8192-byte buffer. Note that the process of base64 decoding produces output that is 3/4 of the input length, so the transmitted string must actually be considerably longer than 8192 bytes for a successful attack," said researchers.
The security advisory said that the bug is fixed by Squid version 4.8. In the notes for the commit, they note the bug was fixed by replacing the fixed-size buffer for decoding base64 tokens with an SBuf to avoid decoder issues on large inputs. They also updated callers to SBuf API operations for more efficient memory management, said an advisory.
The Squid advisory said that workarounds could be deployed if a server could not be patched. This include denying ftp:// protocol URLs being proxied and Cache Manager report access to all clients.
Jonny Milliken, manager – research team at Alert Logic, told SC Media UK that there are two critical steps in security: knowing your assets and knowing what threats exist. If you are not aware of both of those things, it’s almost impossible to respond or mitigate effectively.
"Therefore, the best mitigation against these types of threats is good knowledge and investment in cyber-security as a priority. Once you know both of these things then the response is fairly textbook – patch as soon as possible. If that’s not possible, consider removing the host from the internet until you can. If virtual patching is available, then that can be an effective tool. Leaving an unauthenticated remote code execution vulnerability open to the internet and unpatched is inviting trouble," he said.