squidGuard 1.3 & 1.4 : buffer overflow

2009-10-26T00:00:00
ID SECURITYVULNS:DOC:22679
Type securityvulns
Reporter Securityvulns
Modified 2009-10-26T00:00:00

Description

Advisory

Date 2009-10-26 Program squidGuard URL http://squidguard.org/ Found by Matthieu BOUTHORS

Application description

SquidGuard is a URL redirector used to use blacklists with the proxysoftware Squid. There are two big advantages to squidguard: it is fast and it is free. SquidGuard is published under GNU Public License.

Vulnerability description

Multiple buffer overflow can lead to filtering policy bypass and DoS.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-3700 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Vulnerability details

The vulnerability is due to insecure buffer handling.

For instance in sgLog.c :

if(vsprintf(msg, format, ap) > (MAX_BUF - 1))

This piece of code may cause a buffer overflow and detects when it's too late. squidGuard only logs URL with patched bypass attempts (for instance, trailing dot or double dash, see http://www.squidguard.org/Doc/advisories.html).

MAX_BUF is 4096, squid does not allow URL greater than 4096 characters. So in order to cause a buffer overflow, the attacker has to use an URL close to 4096 characters. A succesfull attackers would put squidGuard in emergency mode, in this mode squidGuard approve each requests. A less succesfull attacker can freeze the squidGuard instance, reproduct this attack can lead to a DoS.

Systems affected

squidGuard 1.3 squidGuard 1.4

Solution

Two patches has been released by the squidGuard team : Patch-20091015 and Patch-20091019.