CVE-2019-12527 Squid缓冲区溢出导致远程代码执行漏洞

0x00 漏洞背景

2019年8月22日,趋势科技研究团队发布了编号为CVE-2019-12527的Squid代理服务器缓冲区溢出漏洞分析报告,攻击者可以在无需身份验证的情况下构造数据包利用此漏洞造成远程代码执行。

Squid 是一款受欢迎的开源代理服务器和缓存应用,支持HTTP、HTTPS、FTP等多种网络协议,使用广泛。

0x01 漏洞详情

cachemgr.cgi 是 Squid 的缓存管理界面,用于展示代理进程的统计信息。Squid 使用 CacheManager::ParseHeaders() 函数来处理针对 cachemgr 的请求信息,如果请求投中包含Authorization认证信息,且类型为Basic的情况下,会调用存在漏洞的函数HttpHeader::getAuth()。

HttpHeader::getAuth()函数定义decodedAuthToken数组大小为8192字节,用于存放base64解码之后的凭证。

使用函数base64_decode_update进行解码

base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), strlen(field), field)

如果解码的结果超过 8192 字节,那么就会发生缓冲区溢出。

原有逻辑:静态定义decodeDAuthToken 大小 8192字节
补丁修复:通过base64解码后动态定义存储长度

无需认证的远程攻击者可以通过向目标服务器发送精心设计的HTTP请求来利用此漏洞。利用利用将导致攻击者获得代码执行权限,攻击不成功将导致服务器进程异常终止。

当Squid用作FTP代理并且请求的uri以FTP开头的时候,也会调用漏洞函数HttpHeader::getAuth()。

0x02 影响版本

Squid 4.0.23 -> 4.7

0x03 修复建议

Squid 已确认受到影响并发布补丁,升级到最新版本 Squid 4.8

对于不便更新的用户可以使用 –disable-auth-basic 重新编译 Squid

或者禁止访问缓存管理报告和使用FTP协议的代理

acl FTP proto FTP
http_access deny FTP
http_access deny manager

0x04 时间线

2019-07-12 Squid官方发布安全公告

2019-08-22 趋势科技发布研究报告

2019-08-23 360-CERT发布漏洞预警

0x05 参考链接

https://www.thezdi.com/blog/2019/8/22/cve-2019-12527-code-execution-on-squid-proxy-through-a-heap-buffer-overflow

https://github.com/squid-cache/squid/commit/7f73e9c5d17664b882ed32590e6af310c247f320

0x05 参考报告

__________________________________________________________________

    Squid Proxy Cache Security Update Advisory SQUID-2019:5
__________________________________________________________________

Advisory ID:        SQUID-2019:5
Date:               July 12, 2019
Summary:            Heap Overflow issue
                    in HTTP Basic Authentication processing.
Affected versions:  Squid 4.0.23 -> 4.7
Fixed in version:   Squid 4.8
__________________________________________________________________

    http://www.squid-cache.org/Advisories/SQUID-2019_5.txt
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12527
__________________________________________________________________

Problem Description:

 Due to incorrect buffer management Squid is vulnerable to a
 heap overflow and possible remote code execution attack when
 processing HTTP Authentication credentials.

__________________________________________________________________

Severity:

 This allows a malicious client to write a substantial amount of
 arbitrary data to the heap. Potentially gaining ability to
 execute arbitrary code.

 On systems with memory access protections this can result in
 the Squid process being terminated unexpectedly. Resulting in a
 denial of service for all clients using the proxy.

 This issue is limited to traffic accessing the Squid Cache
 Manager reports or using the FTP protocol gateway.

__________________________________________________________________

Updated Packages:

 This bug is fixed by Squid version 4.8.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 4:
 <http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

 All Squid-2.x are not vulnerable.

 All Squid-3.x are not vulnerable.

 All Squid-4.x up to and including 4.0.22 are not vulnerable.

 All Squid-4.0.23 up to and including 4.7 built with Basic
 Authentication features are vulnerable.

__________________________________________________________________

Workarounds:

Either;

 Deny ftp:// protocol URLs being proxied and Cache Manager report
 access to all clients:

    acl FTP proto FTP
    http_access deny FTP
    http_access deny manager

Or,

 Build Squid with --disable-auth-basic

__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-users@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-bugs@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

 This vulnerability was discovered by Jeriko One
 <jeriko.one@gmx.us>.

 Fixed by Amos Jeffries of Treehouse Networks Ltd.

__________________________________________________________________

Revision history:

 2019-05-14 14:56:49 UTC Initial Report
 2019-06-05 15:52:17 UTC CVE Assignment
 2019-06-19 05:58:36 UTC Patches Released
 2019-07-12 13:00:00 UTC Advisory Released
__________________________________________________________________
END

点赞

发表评论

电子邮件地址不会被公开,只有你知道( ̄▽ ̄)"