Squid URL Filtering Bypass

2012-04-19T00:00:00
ID SECURITYVULNS:DOC:27922
Type securityvulns
Reporter Securityvulns
Modified 2012-04-19T00:00:00

Description

Exploit Title: Squid URL Filtering Bypass

Date: 16/04/2012

Author: Gabriel Menezes Nunes

Version: Squid Proxy

Tested on: Squid Proxy 3.1.19

CVE: CVE-2012-2213

I found a vulnerability in Squid Proxy that allows access to filtered sites. The software believes in the Host field of HTTP Header using CONNECT method. Example

CONNECT 66.220.147.44:443 HTTP/1.1 Host: www.facebook.com

It is blocked.

CONNECT 66.220.147.44:443 HTTP/1.1 (without host field)

It is blocked.

But:

CONNECT 66.220.147.44:443 HTTP/1.1 Host: www.uol.com.br (allowed url)

The connection works.

From here, I can send SSL traffic without a problem. This way, I can access any blocked site that allows SSL connections.

This vulnerability is different from the CONNECT Tunnel method. The flaw is on the Host field processing. The software believes on this field.

So, any sites can be accessed. URL filtering in this software is irrelevant and useless. One of the most important (if not the most important) feature of this kind of device is to protect the network in accessing specific URLs. So, this flaw is very dangerous, and it can be implemented even in malwares, bypassing any protection. I developed a python script that acts like a proxy and it uses this flaw to access any site. This tool is just a proof of concept.