Pages

Thursday, May 5, 2016

“Squoison” Attack: High-severity Vulnerability in Squid Proxy Server Allows Cache Poisoning



Jianjun Chen, a postgraduate student at Tsinghua University, discovered a critical vulnerability in the popular Squid proxy server.  He found that the system fails to conform to the RFC 7230 standard and is not capable of parsing/processing the Host header in HTTP requests properly. This allows attackers to conduct a Cache Poisoning attack using a specially crafted malicious packet.

What is the problem?

The researcher managed to execute a Cache Poisoning attack targeting any unencrypted HTTP requests in Squid-3.5.12. For successful exploitation, an attacker must be able to send requests to some website (like attack.com) through the proxy server. Under this scenario, the attacker first establishes a TCP connection with the attack.com web server. As far as Squid works in transparent proxy mode, these requests are intercepted and transmitted further. At the next stage, the attacker initiates the following HTTP request:

GET http://victim.com/ HTTP/1.1
Host: attack.com 

The cache module uses the host address from the request string (victim.com) to create the key; however, the verification module uses the Host header (attack.com) to check the communication between the host and the IP address. This is what makes the attack possible.

The researcher has also published a video demonstration of the attack.

Such attacks can be carried out remotely using Flash ads. The consequences of this vulnerability can be severe because many Internet providers use Squid as a transparent proxy.

Early on, the Squid developers considered that the detected vulnerability is the same with CVE-2009-0801. Still the Chinese security expert has proven that this new attack is not related to the recent vulnerability. In the case of CVE-2009-0801, an attacker could perform a SOP bypass attack: the issue was caused by improper processing of the destination IP address. The issue has been fixed since the new 3.3 version of Squid. The newly detected vulnerability in Squid 3.5 is caused by inconsistent operation of route verification and cache modules.

How to Protect Yourself

The vulnerability was already fixed but there is still no CVE for the issue or patched version of Squid available. The bug fix is included only in the daily builds for 4 and 3.5 versions.

Positive Technologies experts recommend enabling the host_verify_strict option disabled by default and using the Suricata IDS rule to detect exploitation attempts:

24 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. My name is Andy James currently living in california USA Am writing this letter because am really grateful for what Elvin Morrison did for me and my family when I thought there was no hope he came and make a way for me and my family by lending us loan at a very low interest rate of 2%. I never thought that there are still God sent and genuine loan lenders on the web but to my greatest surprise i got my loan without wasting much time so if you are out there looking for a loan of any amount i would like to recommend you to Elvin Morrison the Managing director of Elvin Loan Company because he is a God sent man that can change your life forever, So if you really want to make a better life without any fund scarcity I would advise you to get in touch with him through this e-mail below elvinloancompany@yahoo.com or call on +13072132540 or on our web page http://elvinloancompanys.bravesites.com

      Delete
  2. Interesting and very useful post, actually in the Net, nowadays a lot of information like this, but this one is the best. Here is top sites which was useful for me, and I'm happy so share them with you.

    ReplyDelete
  3. I would be very thankful if you continue with quality what you are serving right now with your blog...I really enjoyed awriter.org
    it...and i really appreciate to you for this....its always pleasure to read so....Thanks for sharing!!!

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. This comment has been removed by a blog administrator.

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. This comment has been removed by a blog administrator.

    ReplyDelete
  13. This comment has been removed by a blog administrator.

    ReplyDelete
  14. This comment has been removed by a blog administrator.

    ReplyDelete
  15. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. My name is Andy James currently living in california USA Am writing this letter because am really grateful for what Elvin Morrison did for me and my family when I thought there was no hope he came and make a way for me and my family by lending us loan at a very low interest rate of 2%. I never thought that there are still God sent and genuine loan lenders on the web but to my greatest surprise i got my loan without wasting much time so if you are out there looking for a loan of any amount i would like to recommend you to Elvin Morrison the Managing director of Elvin Loan Company because he is a God sent man that can change your life forever, So if you really want to make a better life without any fund scarcity I would advise you to get in touch with him through this e-mail below elvinloancompany@yahoo.com or call on +13072132540 or on our web page http://elvinloancompanys.bravesites.com

      Delete
  16. Thanks for sharing this vulnerability and the way to protect from it. Also, check out website which was also useful for me. It provides a quality and well-timed help.

    ReplyDelete
  17. The Information in this page is very interesting and useful. Follow this website also for more info related to it

    ReplyDelete
  18. I need to learn more about squid, do you have direct tutorial? jasaseoweb.net

    ReplyDelete
  19. Hearing to music and watching television to control their study complication over healthier personalities like seeing a mental health professional or exercising. Service blogs are including the discussion of new topics For writing or submitting a topic for your blog like Essay topics for high school students

    ReplyDelete
  20. Best Place To Get A Solution To Your Financial Problems (Lexieloancompany@yahoo.com)!!!

    My Name is Nicole Marie, I live in USA and life is worth living comfortably for me and my family now and i really have never seen goodness shown to me this much in my life, As i am a struggling mum with two kids and i have been going through a serious problem as my husband encountered a terrible accident last two weeks, and the doctors stated that he needs to undergo a delicate surgery for him to be able to walk again and i could not afford the bills for his surgery then i went to the bank for a loan and they turn me down stating that i have no credit card, from there i ran to my father and he was not able to help me, then when i was browsing through yahoo answers i came across a God fearing man (Mr Martinez Lexie) who provides loans at an affordable interest rate and i have been hearing about so many scams on the Internet mostly Africa, but at this my desperate situation, i had no choice than to give it an attempt due to the fact that the company is from United State of America, and surprisingly it was all like a dream, i received a loan of $82,000.00 USD and i payed for my husband surgery and thank GOD today he is ok and can walk, my family is happy and i said to myself that i will shout to the world the wonders this great and God fearing Man Mr Martinez Lexie did for me and my family; so if anyone is in genuine and serious need of a loan do contact this GOD fearing man via Email: ( Lexieloancompany@yahoo.com ) or through the Company website: http://lexieloans.bravesites.com OR text: +18168926958 thanks


    ReplyDelete