ru.nethack

 
 - RU.NETHACK -------------------------------------------------------------------
 From : Yaroslav Klyukin                     2:5020/400     10 Aug 2002  23:46:39
 To : Alex Krylov
 Subject : squid buffer overflow
 -------------------------------------------------------------------------------- 
 

  AK>     В чем именно заключается сабж ? Что-то с ftp директориями, но инета
  AK> сейчас нет, поэтому посмотреть нет возможности!! Буду очень признателен
  AK> если кто-нибудь расскажет или кинет инфу в эху или мылом запостит...
 Title
 2/3/2002
 Squid Buffer Overflow (FTP)
  
  Summary
 Squid, http://www.squid-cache.org/, is a commonly used web proxy/cache server.
 There is a buffer overflow in the code that parses FTP requests. A certain
 kind of FTP request causes a Squid child process to core dump, and repeating
 such requests makes the server unusable. Exploiting the flaw to gain shell
 access on the proxy server does not seem trivial, but may be possible. A
 remote attacker might gain root access on the server this way. In order to
 carry out these attacks, the attacker needs to be allowed to use the server by
 its configuration.
  Details
 Vulnerable systems:
  Squid versions 2.3 and 2.4
  
 The flaw is located in ftp.c, function ftpBuildTitleUrl(). When building an
 URL, the program first calculates the space needed:
  
      len = 64
           + strlen(ftpState->user)
           + strlen(ftpState->password)
           + strlen(request->host)
           + strLen(request->urlpath);
  
 Then it allocates memory:
  
      t = ftpState->base_href = xcalloc(len, 1);
  
 Then puts together the URL string with strcat:
  
      strcat(t, "ftp://");
       if (strcmp(ftpState->user, "anonymous")) {
           strcat(t, rfc1738_escape_part(ftpState->user));
           if (ftpState->password_url) {
               strcat(t, ":");
               strcat(t, rfc1738_escape_part(ftpState->password));
           }
           strcat(t, "@");
       }
       strcat(t, request->host);
       if (request->port != urlDefaultPort(PROTO_FTP))
           snprintf(&t[strlen(t)], len - strlen(t), ":%d", request->port);
       strcat(t, strBuf(request->urlpath));
       strcat(t, "/");
  
 At first look this seems ok, but there is a problem with the use of
 rfc1738_escape_part() which returns the parameter string URL-escaped ("%xy"
 notation). Its return string may be three times as long as the parameter. The
 FTP username and password are escaped, so an FTP request with a sufficiently
 long username and password consisting of special characters causes the above
 code to run out of space and write beyond the malloc'ed memory area.
  
 In other words, the memory is allocated according to the unescaped string
 length, but the possibly longer URL-escaped string is copied to it. 
 
 Exploiting:
  A denial of service attack against the server requires only sending an FTP
 request with a username and password like described above. Exploiting the flaw
 to run arbitrary code is another story. The exploit details depend on the
 malloc() implementation of the operating system.
  
 On Linux, some malloc chunk structures can be overwritten with the URL path.
 It looks like the string may contain binary data (except null bytes and
 probably white spaces) so it does not restrict the exploit. With different
 kinds of usernames, passwords, and URLs the program crashes in different
 points of libc's malloc/free functions, which suggests that the problem may be
 exploitable in the similar very as e.g. the "traceroute -g -g" flaw. The
 possible exploit is not a matter of cut'n'paste however. By default, Squid
 does not drop root privilege completely and thus the attacker would gain root
 shell access. It will drop the privilege only if the chroot option has been
 used in squid.conf. In that case, the attacker would get a shell running as
 the squid user (or what ever has been defined in the configuration).
  
 Solution:
  Squid developers were contacted on Saturday Feb 16. They produced and sent a
 patch to correct the flaw in less than 3 hours. There is a patch and an
 updated package (also addressing two other security issues) on the Squid
 website. For more information, see the advisory at:
  http://www.squid-cache.org/Advisories/SQUID-2002_1.txt
  
  Additional information
 The information has been provided by Jouko Pynnonen. 
 
 Всех благ! Мой имел: bulldozer@skintwin.no-ip.com ICQ# 1045670
 
 --- ifmail v.2.15dev5
  * Origin: FidoNet Online - http://www.fido-online.com (2:5020/400)
 
 

Вернуться к списку тем, сортированных по: возрастание даты  уменьшение даты  тема  автор 

Тема:    Автор:    Дата:    squid buffer overflow   Alex Krylov   10 Aug 2002 23:16:52   squid buffer overflow   Yaroslav Klyukin   10 Aug 2002 23:46:39