Squid access control problem
Description: | The squid http proxy allows an administrator to specify banned sites. Unfortunately, users can get around this by using URL hex escapes or specifying an IP address. |
Author: | "Vitaly V. Fedrushkov" <willy@CSU.AC.RU> and Mauro Lacy <mauro@INTER-SOFT.COM> |
Compromise: | Bypass some squid access restrictions. |
Vulnerable Systems: | Those relying on squid access restrictions to keep students, employees, etc. from undesireable sites. |
Date: | 23 February 1998 |
Date: Fri, 20 Feb 1998 08:04:00 +0500
From: "Vitaly V. Fedrushkov" <willy@CSU.AC.RU>
Subject: Simple way to bypass squid ACLs
-----BEGIN PGP SIGNED MESSAGE-----
Good $daytime,
Software: Squid Internet Object Cache
Version: 1.1.20 (at least)
Summary: any URL-based ACLs can be bypassed using
simple rewriting
Impact: renders any access control based on url_regex
and/or urlpath_regex unusable
Details
~~~~~~~
It is possible to bypass squid access control rules based on URL
regular expressions. Due to insufficient URL parsing it is possible
to rewrite URL with hex escapes so that it is no longer matched
against some rule but remains valid for replying server.
Example
~~~~~~~
squid.conf:
...
acl PornoURLs url_regex "/var/lib/squid/etc/PornoURLs.acl"
...
http_access deny PornoURLs
...
PornoURLs.acl:
...
aha.ru.*/~sands/
...
netscape http://www.aha.ru/~sands/ -> Access denied
netscape http://www.aha.ru/~%73ands/
-> 200 OK
_BUT_
http://www.ravage.com/plypage/html/nude.html -> Access denied
http://www.ravage.com/plypage/html/%75%6ede.html -> 404 Object Not Found
Impact
~~~~~~
Any access restrictions based on such ACLs can be easily broken by
clients. In my case it can be used for acceptable usage policy (AUP)
violation.
Workaround
~~~~~~~~~~
1. Rewrite regexps to match any valid URL rewriting. Seems tricky
and result is unreadable by human (== easy to mistype).
2. Use some request-rewriting software at proxy port to canonify
request and forward it to squid. This breaks port- and IDENT-based
rules.
Other software
~~~~~ ~~~~~~~~
As you can see, result depends on server implementation. RFC1738 says
MAY on escaping printable characters. Also it is stated that such
escapes may change URL semantics. None the less, any other software
that uses URL matching is about to be checked.
Thanks for your time.
Regards,
Willy.
- - --
"No easy hope or lies | Vitaly "Willy the Pooh" Fedrushkov
Shall bring us to our goal, | Information Technology Division
But iron sacrifice | Chelyabinsk State University
Of Body, Will and Soul." | mailto:willy@csu.ac.ru +7 3512 156770
R.Kipling | http://www.csu.ac.ru/~willy VVF1-RIPE
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: koi8
iQCVAwUBNOzyUzslK91NCq/tAQHQ5QQAksWEioRWwwowl1TIHaVimE2i5AxEAYw4
3qOSJYI7bY2+0pM1R+1By+A8sWU6cPpvetNopO7DhRD/ytX01UiImoMfvw1vg5ET
VAmIPMI0AI/O5fvkjXoLtJBsDaWc2t51NE4Z9Q6NHn6tnjTIIX1toSNJKxylZL0L
xn7Tr3KnSXI=
=6k0i
-----END PGP SIGNATURE-----
Date: Mon, 23 Feb 1998 13:08:41 -0300
From: Mauro Lacy <mauro@INTER-SOFT.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Simple way to bypass squid ACLs
Vitaly V. Fedrushkov wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Good $daytime,
>
> Software: Squid Internet Object Cache
> Version: 1.1.20 (at least)
> Summary: any URL-based ACLs can be bypassed using
> simple rewriting
> Impact: renders any access control based on url_regex
> and/or urlpath_regex unusable
>
> Details
> ~~~~~~~
> It is possible to bypass squid access control rules based on URL
> regular expressions. Due to insufficient URL parsing it is possible
> to rewrite URL with hex escapes so that it is no longer matched
> against some rule but remains valid for replying server.
You can also replace the URL by its numerical IP address(at least this
works for the proxy of my company) eg.:
netscape http://www.playboy.com -> Access denied
nslookup www.playboy.com
...
Non-authoritative answer:
Name: wdc.express.playboy.com
Addresses: 206.251.29.12, 205.216.146.201
Aliases: www.playboy.com, www.express.playboy.com
netscape http://206.251.29.12 -> OK!
or
netscape http://205.216.146.201 -> OK!
> ...
> Workaround
> ~~~~~~~~~~
> 1. Rewrite regexps to match any valid URL rewriting. Seems tricky
> and result is unreadable by human (== easy to mistype).
>
> 2. Use some request-rewriting software at proxy port to canonify
> request and forward it to squid. This breaks port- and IDENT-based
> rules.
>
I suppose that in this case you have to add the numerical IP of the URL
in the ACL.
eg.:
PornoURLs.acl:
...
www.playboy.com
206.251.29.12
205.216.146.201
...
Everybody: please don't tell my company sysadmin. :-))
> - - --
> "No easy hope or lies | Vitaly "Willy the Pooh" Fedrushkov
> Shall bring us to our goal, | Information Technology Division
> But iron sacrifice | Chelyabinsk State University
> Of Body, Will and Soul." | mailto:willy@csu.ac.ru +7 3512 156770
> R.Kipling | http://www.csu.ac.ru/~willy VVF1-RIPE
I agree.
Mauro
--
Mauro Lacy - mauro@inter-soft.com
Intersoft Argentina - http://www.inter-soft.com
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: