δ½εMYHACK58:62201995648CVE-2019-12527: the Squid buffer overflow resulting in remote code execution vulnerability alerts-a vulnerability alert-the black bar safety net
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0x00 vulnerability background
2019 8 November 22, Trend Micro research team published a number of CVE-2019-12527 Squid proxy server buffer overflow vulnerability analysis report, the attacker in without authentication in the case of construction of a data package to exploit this vulnerability resulting in remote code execution.
Squid is a popular open source proxy and cache applications, supports HTTP, HTTPS, FTP and other network Protocol, widely used.
0x01 vulnerability details
cachemgr. cgi is the Squid Cache Manager interface, used to display agent statistics. Squid use CacheManager::ParseHeaders() function to handle for the cachemgr request information, if the request hit contains Authorization authentication information, and the types for the Basic case, it will call the vulnerable function HttpHeader::getAuth () is.
HttpHeader::getAuth()function is defined decodedAuthToken the array size is 8192 bytes, used to store the base64 decoded after the voucher.
Use the function base64_decode_update decoding
base64_decode_update(&ctx, &decodedLen, reinterpret_castuint8_t*>(decodedAuthToken), strlen(field), field)
If the decoded result exceeds 8192 bytes, then it will happen buffer overflow.
! [](/Article/UploadPic/2019-8/201982692324776. png)
Original logic: static definition decodeDAuthToken size 8192 bytes
Patch fix: by base64 decoded dynamically defined storage length
Without authentication a remote attacker can pass to the target server to send a carefully the design of the HTTP request to exploit this vulnerability. The use of the use will cause the attacker to gain code execution privileges, the unsuccessful attack will cause the server process abnormal termination.
When the Squid as an FTP proxy and the request uri to the FTP at the beginning of time, also called the vulnerability function HttpHeader::getAuth () is.
0x02 impact version
Squid 4.0.23 -> 4.7
0x03 repair recommendations
Squid has confirmed to be affected and publish a patch, upgrade to the latest version of Squid 4.8
For the inconvenience the update of the user can use the βdisable-auth-basic re-compile Squid
Or prohibit access to the cache management reports and use the FTP Protocol agent
acl FTP proto FTP
http_access deny FTP
http_access deny manager
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P