Bugzilla – Bug 1216742
VUL-0: squid: Use-After-Free in Cache Manager Errors
Last modified: 2024-05-17 12:01:03 UTC
Created attachment 870536 [details] Base64 encoded reproducer https://megamansec.github.io/Squid-Security-Audit/cache-uaf.html Squid-Security-Audit Use-After-Free in Cache Manager Errors Squid’s internal ‘CacheManager’ is used by administrators to help debug issues and learn information about Squid’s cache and running statistics. It can be accessed through the general scheme cache_object://, such as cache_object://mycache.example.com/info. More details inside the squid security audit. Reproducer: you need 2 systems: - squid (192.168.0.1) - lynx client (192.168.0.3) 1. Install and start squid on a dedicated system. Add the following configuration lines. http_port 2222 cache allow all http_reply_access allow all uri_whitespace encode http_access allow all reply_body_max_size 6000 2. On the squid server run a strace command on the (squid-1) command. # strace -f -p <squid-1 PID> 3. Run the following nc command. # base64 -d PoC_Cache_Manager_Errors.base64 | nc 192.168.0.1 2222 Now you should see that the (squid-1) process got killed. --- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=31952, si_uid=469} --- +++ killed by SIGABRT (core dumped) +++
Currently there is no patch available. The access to the Cache Manager port should be restricted and not be available to the public. Please use best practice to limit the access to only authorized persons.