lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 21 Apr 2012 10:52:18 +1200
From: Amos Jeffries <amos@...enet.co.nz>
To: Gabriel Menezes Nunes <gab.mnunes@...il.com>
CC: bugtraq <bugtraq@...urityfocus.com>
Subject: Re: Squid URL Filtering Bypass

On 17/04/2012 10:11 a.m., Gabriel Menezes Nunes wrote:
> # Exploit Title: Squid URL Filtering Bypass
> # Date: 16/04/2012
> # Author: Gabriel Menezes Nunes
> # Version: Squid Proxy
> # Tested on: Squid Proxy 3.1.19
> # CVE: CVE-2012-2213
>
>
> I found a vulnerability in Squid Proxy that allows access to filtered sites.
> The software believes in the Host field of HTTP Header using CONNECT method.
> Example
>
> CONNECT 66.220.147.44:443 HTTP/1.1
> Host: www.facebook.com
>
>
> It is blocked.
>
> CONNECT 66.220.147.44:443 HTTP/1.1 (without host field)
>
> It is blocked.
>
> But:
>
> CONNECT 66.220.147.44:443 HTTP/1.1
> Host: www.uol.com.br (allowed url)
>
> The connection works.
>
>  From here, I can send SSL traffic without a problem. This way, I can
> access any blocked site that allows SSL connections.
>
>
> This vulnerability is different from the CONNECT Tunnel method. The
> flaw is on the Host field processing. The software believes on this
> field.
>
> So, any sites can be accessed. URL filtering in this software is
> irrelevant and useless.
> One of the most important (if not the most important) feature of this
> kind of device is to protect the network in accessing specific URLs.
> So, this flaw is very dangerous, and it can be implemented even in
> malwares, bypassing any protection.
> I developed a python script that acts like a proxy and it uses this
> flaw to access any site.
> This tool is just a proof of concept.

Can you please email these details and the squid.conf used to find it to 
the security bugs reporting address bugs at squid-cache.org.

This appears to be an aspect of same-origin bypass (CVE-2009-0801) or 
something closely related.

Thank You
Amos Jeffries
Squid Software Foundation

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ