Squid httpd acceleration acl bug enables portscanning

Type securityvulns
Reporter Securityvulns
Modified 2001-07-19T00:00:00



Security Advisory: NASR-2001-001 <pnasrat@uk.now.com> Date: 18 July 2001


Squid can be used to proxy and also portscan if set up as a httpd accelerator (reverse proxy).

Versions Affected:

2.3STABLE3 and 2.3STABLE4 unpatched

This includes the RedHat 7.0 squid, but not RedHat 6.2 or 7.1 - vendors basing their RPMS on RedHat 7.0 are advised to check and apply the patch from the squid site. Debian uses 2.2 and 2.4 so is unaffected.

Description of problem:

Squid has a known bug in 2.3STABLE4 which ignores acl's in httpd_accel mode. Note this is only if in httpd_accel_host is set and httpd_accel_with_proxy off is set. This is not the default configuration so it is not vulnerable without making these configuration changes.

This enables portscanning via squid running in this mode potentially allowing remote attackers to comprimise machines through a squid set up this way.

I discovered this whilst doing a security test on a variety of configs and later confirmed it from the squid site below:


Steps to Reproduce:

  1. Set squid to httpd_accel mode, with a particular host and strict acl's

  2. export httpd_proxy="http://squid-server:port"

  3. lynx http://victim:port/

Actual Results: You get a http 200 code if the port is open and sometimes a response with some services SSH, SMTP, etc

Expected Results: Should be access denied (403)


Proxies have often been used in anonymizing attacks on http, but as more sites uuse reverse proxying as a method of distributing their network load and load balancing requests there is the possibility that malicious users could gain proxied access or internal information via them. I attach a sample squid.conf and a sample perl portmapper taking advantage of this bug. Squid will log you running this so it isn't anonymous, and the task of discovering accelerated sites automatically is left as an exercise for the reader.


Squid are aware of this bug and have a patch on their site.

RedHat, Immunix and others have been notified and updates are imminent later today.

Consider using additional security measures such as a squid redirector, packet filtering, etc.

Paul Nasrat

"we apologise for any inconvenience" - God's Last Message to His Creation Courtesy of Douglas Adams -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org

iD8DBQE7VbucnB2rnqD9/ooRAlM2AJ4xXtjoiLpMH9PwWbh6d1KPQzTxOACgoTRA 5iTMflCCdMGKDMW8+NowgzI= =lohz -----END PGP SIGNATURE-----