Re: [squid-dev] CVE-2019-12522

2022-03-03 Thread Amos Jeffries 

On 4/03/22 00:39, Eliezer Croitoru wrote:

I'm still trying to understand why it's described as "exploitable" ???
It's like saying: The Linux Kernel should not be a kernel and init(or
equivalent) should not run with uid 0 or 1.
Why nobody complains about cockpit being a root process??



This explains the _type_ of problem 
.



Most Squid are automatically protected against it by at least one of OS 
or compiler systems. But some can still be vulnerable, as shown by Jerkio.


Amos
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] ERR_CONFLICT_HOST for HTTP CONNECT request on port 80

2022-03-03 Thread Eliezer Croitoru 
I am not sure if it’s for Squid-dev but anyway to clear out the doubts I would 
suggest attaching the squid.conf 
and remember to remove any sensitive data.

 

Eliezer

 



Eliezer Croitoru

NgTech, Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com  

 

From: squid-dev  On Behalf Of YFone 
Ling
Sent: Thursday, March 3, 2022 22:55
To: squid-dev@lists.squid-cache.org
Subject: [squid-dev] ERR_CONFLICT_HOST for HTTP CONNECT request on port 80

 

My application sends  HTTP CONNECT requests to a HTTP proxy port 80, but gets a 
squid ERR_CONFLICT_HOST error page.

 

Is the following code really working as the comments pointed out "ignore them" 
since the following if condition is "http->request->method != 
Http::METHOD_CONNECT"

and the rest has been blocked by error page 
"repContext->setReplyToError(ERR_CONFLICT_HOST, Http::scConflict,"?

 

Does "ignore them" mean block them? 



void


ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B)


{


// IP address validation for Host: failed. Admin wants to ignore them.


// NP: we do not yet handle CONNECT tunnels well, so ignore for them


if (!Config.onoff.hostStrictVerify && http->request->method != 
Http::METHOD_CONNECT) {


debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << 
http->getConn()->clientConnection <<


   " (" << A << " does not match " << B << ") on URL: " << 
http->request->effectiveRequestUri());



 

 

How does the squid get "hostHeaderVerifyFailed" for a normal HTTP CONNECT 
request to a HTTP Proxy as simple as below?

 

CONNECT www.zscaler.com:80   HTTP/1.1

Host: www.zscaler.com:80  

User-Agent: Windows Microsoft Windows 10 Enterprise ZTunnel/1.0

Proxy-Connection: keep-alive

Connection: keep-alive

 

HTTP/1.1 409 Conflict

Server: squid

Mime-Version: 1.0

Date: Tue, 22 Feb 2022 20:59:42 GMT

Content-Type: text/html;charset=utf-8

Content-Length: 2072

X-Squid-Error: ERR_CONFLICT_HOST 0

Vary: Accept-Language

Content-Language: en

X-Cache: MISS from 3

Via: 1.1 3 (squid)

Connection: keep-alive

 





ERROR

The requested URL could not be retrieved





 



The following error was encountered while trying to retrieve the URL: http://www.zscaler.com:80> ">www.zscaler.com:80 
 

..

 

 

 

Thank you for any help on the understanding!

 

Paul Ling

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

[squid-dev] ERR_CONFLICT_HOST for HTTP CONNECT request on port 80

2022-03-03 Thread YFone Ling 
My application sends  HTTP CONNECT requests to a HTTP proxy port 80, but
gets a squid ERR_CONFLICT_HOST error page.

Is the following code really working as the comments pointed out "ignore
them" since the following if condition is "http->request->method !=
Http::METHOD_CONNECT"
and the rest has been blocked by error page
"repContext->setReplyToError(ERR_CONFLICT_HOST, Http::scConflict,"?

Does "ignore them" mean block them?
void
ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B)
{
// IP address validation for Host: failed. Admin wants to ignore them.
// NP: we do not yet handle CONNECT tunnels well, so ignore for them
if (!Config.onoff.hostStrictVerify && http->request->method !=
Http::METHOD_CONNECT) {
debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << http->
getConn()->clientConnection <<
" (" << A << " does not match " << B << ") on URL: " << http->request->
effectiveRequestUri());


How does the squid get "hostHeaderVerifyFailed" for a normal HTTP CONNECT
request to a HTTP Proxy as simple as below?

CONNECT www.zscaler.com:80 HTTP/1.1
Host: www.zscaler.com:80
User-Agent: Windows Microsoft Windows 10 Enterprise ZTunnel/1.0
Proxy-Connection: keep-alive
Connection: keep-alive


HTTP/1.1 409 Conflict
Server: squid
Mime-Version: 1.0
Date: Tue, 22 Feb 2022 20:59:42 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 2072
X-Squid-Error: ERR_CONFLICT_HOST 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from 3
Via: 1.1 3 (squid)
Connection: keep-alive




ERROR
The requested URL could not be retrieved





The following error was encountered while trying to retrieve the URL: www.zscaler.com:80
..



Thank you for any help on the understanding!

Paul Ling
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] CVE-2019-12522

2022-03-03 Thread Eliezer Croitoru 
I'm still trying to understand why it's described as "exploitable" ???
It's like saying: The Linux Kernel should not be a kernel and init(or
equivalent) should not run with uid 0 or 1.
Why nobody complains about cockpit being a root process??

Thanks,
Eliezer


Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com

-Original Message-
From: squid-dev  On Behalf Of Amos
Jeffries
Sent: Thursday, March 3, 2022 09:17
To: squid-dev@lists.squid-cache.org
Subject: Re: [squid-dev] CVE-2019-12522

On 2/03/22 05:35, Adam Majer wrote:
> Hi all,
> 
> There apparently was a CVE assigned some time ago but I cannot seem to 
> find it being addressed.
> 
>
https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-125
22.txt 
> 
> 
> The crux of the problem is that privileges are not dropped and could be 
> re-acquired. There is even a warning against running squid as root but 
> if root is one function call away, it seems it's the same.
> 
> Any thoughts on this?
> 


To quote myself:

"
We do not have an ETA on this issue. Risk is relatively low and several
features of Squid require the capability this allows in order to
reconfigure. So we will not be implementing the quick fix of fully
dropping root.
"

If anyone wants to work on it you can seek out any/all calls to 
enter_suid and see if they can be removed yet. Some may be able to go 
immediately, and some may need replacing with modern libcap capabilities.


HTH
Amos
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev