ID SECURITYVULNS:DOC:27922 Type securityvulns Reporter Securityvulns Modified 2012-04-19T00:00:00
Description
Exploit Title: Squid URL Filtering Bypass
Date: 16/04/2012
Author: Gabriel Menezes Nunes
Version: Squid Proxy
Tested on: Squid Proxy 3.1.19
CVE: CVE-2012-2213
I found a vulnerability in Squid Proxy that allows access to filtered sites.
The software believes in the Host field of HTTP Header using CONNECT method.
Example
From here, I can send SSL traffic without a problem. This way, I can
access any blocked site that allows SSL connections.
This vulnerability is different from the CONNECT Tunnel method. The
flaw is on the Host field processing. The software believes on this
field.
So, any sites can be accessed. URL filtering in this software is
irrelevant and useless.
One of the most important (if not the most important) feature of this
kind of device is to protect the network in accessing specific URLs.
So, this flaw is very dangerous, and it can be implemented even in
malwares, bypassing any protection.
I developed a python script that acts like a proxy and it uses this
flaw to access any site.
This tool is just a proof of concept.
{"id": "SECURITYVULNS:DOC:27922", "bulletinFamily": "software", "title": "Squid URL Filtering Bypass", "description": "# Exploit Title: Squid URL Filtering Bypass\r\n# Date: 16/04/2012\r\n# Author: Gabriel Menezes Nunes\r\n# Version: Squid Proxy\r\n# Tested on: Squid Proxy 3.1.19\r\n# CVE: CVE-2012-2213\r\n\r\n\r\nI found a vulnerability in Squid Proxy that allows access to filtered sites.\r\nThe software believes in the Host field of HTTP Header using CONNECT method.\r\nExample\r\n\r\nCONNECT 66.220.147.44:443 HTTP/1.1\r\nHost: www.facebook.com\r\n\r\n\r\nIt is blocked.\r\n\r\nCONNECT 66.220.147.44:443 HTTP/1.1 (without host field)\r\n\r\nIt is blocked.\r\n\r\nBut:\r\n\r\nCONNECT 66.220.147.44:443 HTTP/1.1\r\nHost: www.uol.com.br (allowed url)\r\n\r\nThe connection works.\r\n\r\nFrom here, I can send SSL traffic without a problem. This way, I can\r\naccess any blocked site that allows SSL connections.\r\n\r\n\r\nThis vulnerability is different from the CONNECT Tunnel method. The\r\nflaw is on the Host field processing. The software believes on this\r\nfield.\r\n\r\nSo, any sites can be accessed. URL filtering in this software is\r\nirrelevant and useless.\r\nOne of the most important (if not the most important) feature of this\r\nkind of device is to protect the network in accessing specific URLs.\r\nSo, this flaw is very dangerous, and it can be implemented even in\r\nmalwares, bypassing any protection.\r\nI developed a python script that acts like a proxy and it uses this\r\nflaw to access any site.\r\nThis tool is just a proof of concept.", "published": "2012-04-19T00:00:00", "modified": "2012-04-19T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27922", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2012-2213"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:44", "edition": 1, "viewCount": 7, "enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2018-08-31T11:10:44", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-2213"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12324"]}], "modified": "2018-08-31T11:10:44", "rev": 2}, "vulnersScore": 6.1}, "affectedSoftware": []}
{"cve": [{"lastseen": "2021-02-02T05:59:48", "description": "** DISPUTED ** Squid 3.1.9 allows remote attackers to bypass the access configuration for the CONNECT method by providing an arbitrary allowed hostname in the Host HTTP header. NOTE: this issue might not be reproducible, because the researcher is unable to provide a squid.conf file for a vulnerable system, and the observed behavior is consistent with a squid.conf file that was (perhaps inadvertently) designed to allow access based on a \"req_header Host\" acl regex that matches www.uol.com.br.", "edition": 4, "cvss3": {}, "published": "2012-04-28T10:06:00", "title": "CVE-2012-2213", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2213"], "modified": "2012-04-30T17:58:00", "cpe": ["cpe:/a:squid-cache:squid:3.1.9"], "id": "CVE-2012-2213", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2213", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:squid-cache:squid:3.1.9:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:09:46", "bulletinFamily": "software", "cvelist": ["CVE-2012-2212", "CVE-2012-2213"], "description": "Server trusts to Host: header in CONNECT request.", "edition": 1, "modified": "2012-04-19T00:00:00", "published": "2012-04-19T00:00:00", "id": "SECURITYVULNS:VULN:12324", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12324", "title": "Squid / McAfee Web Gateway URL filtering bypass", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}
