-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256I. VULNERABILITY- -------------------------Multiple vulnerabilities in squid 0.4.16_2 running on pfSenseVersion 2.3.1-RELEASE-p1II. BACKGROUND- -------------------------The pfSense project is a free network firewall distribution, based on theFreeBSD operating system, with a custom kernel and an array of third-partyfree software packages that can be installed for additional functionality.Through this package system pfSense software is able to provide most ofthe functionality of common commercial firewalls, and many times more.III. DESCRIPTION- -------------------------In pfSense, it is possible to configure a third-party package, Squid, toact as a transparent HTTP proxy. This package uses clamd as an AVsolution.If clamd detects a piece of malware in one of the proxied requests, therequest is blocked and the user is redirected to the following URLinstead:http://ift.tt/266RHDEcar.com&source=10.10.10.100&user=-&virus=stream:%20Eicar-TestSignature%20FOUNDUpon inspection of the source code of the Squid package, the file"squid_clwarn.php" appears to contain several vulnerabilities.At the start of the file we see that various HTTP GET parameters areloaded into local variables through the $_REQUEST superglobal:==========================================================================$url = $_REQUEST['url'];$virus = ($_REQUEST['virus'] ? $_REQUEST['virus'] : $_REQUEST['malware']);$source = preg_replace("@/-@", "", $_REQUEST['source']);$user = $_REQUEST['user'];==========================================================================These variables are later rendered directly into HTML output, without anyform of escaping, thus resulting in a reflected XSS vulnerability.Proof of Concept:http://ift.tt/1YvF56Jm:The information sent in this HTTP GET request is also saved to a log file:==========================================================================error_log(date("Y-m-d H:i:s") . " | VIRUS FOUND | " . $virus . " | " .$url . " | " . $source . " | " . $user . "\n", 3,"/var/log/c-icap/virus.log");==========================================================================An administrator who looks at the logs through the pfSense web-GUI, at"squid-monitor.php", will be open to a stored XSS vulnerability, becausethe variables are rendered directly into HTML output, without properescaping:Finally, there is no authentication present in the "squid_clwarn.php"file, resulting in possible log manipulation attacks. For example,requesting the following URL will result in an empty log entry beingadded.Proof of Concept:http://ift.tt/266RWP6IV. BUSINESS IMPACT- -------------------------An attacker can execute arbitrary JavaScript code in a targeteduser's browser, as well as any administrators viewing the log filesthrough the pfSense web-GUI.V. SYSTEMS AFFECTED- -------------------------Tested on:2.3.1-RELEASE-p1 (amd64)built on Wed May 25 14:53:06 CDT 2016FreeBSD 10.3-RELEASE-p3With:squid 0.4.16_2VI. SOLUTION- -------------------------Upgrade squid to version 0.4.18.VII. REVISION HISTORY- -------------------------June 10, 2016: Initial releaseVIII. DISCLOSURE TIMELINE- -------------------------June 7, 2016: Vulnerability discovered by Remco SprootenJune 7, 2016: Contacted vendorJune 7, 2016: Vendor confirmed the vulnerabilityJune 7, 2016: Vendor fixed the XSS vulnerabilitiesJune 8, 2016: Vendor updated to fix to prevent false log entriesJune 16, 2016: Vendor released a SA:http://ift.tt/1YvFQg2June 17, 2016: Sent to listsIX. REFERENCES- -------------------------Devel (pfSense 2.4 packages):http://ift.tt/266RikG94c4b2c0fb20c735http://ift.tt/1YvFBBGf168d365cdebe520RELENG_2_3_1 (pfSense 2.3.1_x packages):http://ift.tt/266QKeEb0d9cfd7215791b8http://ift.tt/1YvFar4b10c77dc2231793cRELENG_2_3 (pfsense 2.3.2 packages):http://ift.tt/266RAbk2ea7c6fdd55ffd20http://ift.tt/1YvFy92d3f9bed7c2f7585fRELENG_2_3_0 (pfSense 2.3_x packages):http://ift.tt/266Sl450de881655958f1f3http://ift.tt/1YvFpT4eadc9b50ea5b8d52X. LEGAL NOTICES- -------------------------The information contained within this advisory is supplied "as-is" with nowarranties or guarantees of fitness of use or otherwise.XI. ABOUT- -------------------------Remco SprootenSecurity Consultant-----BEGIN PGP SIGNATURE-----Version: GnuPG v2iQIcBAEBCAAGBQJXYzAjAAoJEMAbBFdxLTwF2jUQAKAtkzMaeK0svql8mWx4dcyCCJaNe1tiYfjl9tIv7ywSFzGh3Bq7WdcxiOVgDEj+0Co5+H8B2+EslezJg6636BMPsvOq57xpEo7qMqnnRGpJAI1Ytyky+nUI+aSr472vuuwEFiXg7rmJx2UsfFPcoQDGYgfUtLwrYdkLatq5RBX38Q3I6KWHFNgflcp7RHvbi+3/CcOYzBkYhoQRm7faZIgNn74ymI2+PFq3pvhLnOLRtKLftVro5n0XmK/ADFVIcC7Mw1gOalvREkCi0He8dYoEmdr9oPNESKFcVadFgrJiO/KTdcc+DwYuU+p+yYF7pMGvLLEGUQJPdIcfd2n5AS1D4Y8kdmIOJPmzCWsWJ8LZRu/kLy3H/jaDZlBkhOElbQk2Z+h0KxeCNDeatxtopGpnjizuDqrhTrBw3prQRWn/zvCeuuA/EFtVrMFcL0k04ilHa+543m9abXshKQss8S89eUvsDQNgz4hWPw46Ptp2NBpUwyrci2QW8mZG1iKvjrycW7GVN80dfs+sdf5EcJuXDYJQ7qAyIDnUBOQgcEvzRnn+oD7JlvCqFhKfASlK8S9BlzSD9qAJydh8sfliaH0rLnUOJd3ucBqM5OrscHPnrMD7siXsy54ZEMiAVZP/D6H29uNL1QmEN/fr4uUjpaZCN1qM2bqWy4u471A2GKN8=ih9y-----END PGP SIGNATURE-----[ reply ]from SecurityFocus Vulnerabilities http://ift.tt/1YvFeqL
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I. VULNERABILITY
- -------------------------
Multiple vulnerabilities in squid 0.4.16_2 running on pfSense
Version 2.3.1-RELEASE-p1
II. BACKGROUND
- -------------------------
The pfSense project is a free network firewall distribution, based on the
FreeBSD operating system, with a custom kernel and an array of third-party
free software packages that can be installed for additional functionality.
Through this package system pfSense software is able to provide most of
the functionality of common commercial firewalls, and many times more.
III. DESCRIPTION
- -------------------------
In pfSense, it is possible to configure a third-party package, Squid, to
act as a transparent HTTP proxy. This package uses clamd as an AV
solution.
If clamd detects a piece of malware in one of the proxied requests, the
request is blocked and the user is redirected to the following URL
instead:
http://ift.tt/266RHDE
car.com&source=10.10.10.100&user=-&virus=stream:%20Eicar-TestSignature%2
0FOUND
Upon inspection of the source code of the Squid package, the file
"squid_clwarn.php" appears to contain several vulnerabilities.
At the start of the file we see that various HTTP GET parameters are
loaded into local variables through the $_REQUEST superglobal:
========================================================================
==
$url = $_REQUEST['url'];
$virus = ($_REQUEST['virus'] ? $_REQUEST['virus'] : $_REQUEST['malware']);
$source = preg_replace("@/-@", "", $_REQUEST['source']);
$user = $_REQUEST['user'];
========================================================================
==
These variables are later rendered directly into HTML output, without any
form of escaping, thus resulting in a reflected XSS vulnerability.
Proof of Concept:
http://ift.tt/1YvF56J
m:
The information sent in this HTTP GET request is also saved to a log file:
========================================================================
==
error_log(date("Y-m-d H:i:s") . " | VIRUS FOUND | " . $virus . " | " .
$url . " | " . $source . " | " . $user . "\n", 3,
"/var/log/c-icap/virus.log");
========================================================================
==
An administrator who looks at the logs through the pfSense web-GUI, at
"squid-monitor.php", will be open to a stored XSS vulnerability, because
the variables are rendered directly into HTML output, without proper
escaping:
Finally, there is no authentication present in the "squid_clwarn.php"
file, resulting in possible log manipulation attacks. For example,
requesting the following URL will result in an empty log entry being
added.
Proof of Concept:
http://ift.tt/266RWP6
IV. BUSINESS IMPACT
- -------------------------
An attacker can execute arbitrary JavaScript code in a targeted
user's browser, as well as any administrators viewing the log files
through the pfSense web-GUI.
V. SYSTEMS AFFECTED
- -------------------------
Tested on:
2.3.1-RELEASE-p1 (amd64)
built on Wed May 25 14:53:06 CDT 2016
FreeBSD 10.3-RELEASE-p3
With:
squid 0.4.16_2
VI. SOLUTION
- -------------------------
Upgrade squid to version 0.4.18.
VII. REVISION HISTORY
- -------------------------
June 10, 2016: Initial release
VIII. DISCLOSURE TIMELINE
- -------------------------
June 7, 2016: Vulnerability discovered by Remco Sprooten
June 7, 2016: Contacted vendor
June 7, 2016: Vendor confirmed the vulnerability
June 7, 2016: Vendor fixed the XSS vulnerabilities
June 8, 2016: Vendor updated to fix to prevent false log entries
June 16, 2016: Vendor released a SA:
http://ift.tt/1YvFQg2
June 17, 2016: Sent to lists
IX. REFERENCES
- -------------------------
Devel (pfSense 2.4 packages):
http://ift.tt/266RikG
94c4b2c0fb20c735
http://ift.tt/1YvFBBG
f168d365cdebe520
RELENG_2_3_1 (pfSense 2.3.1_x packages):
http://ift.tt/266QKeE
b0d9cfd7215791b8
http://ift.tt/1YvFar4
b10c77dc2231793c
RELENG_2_3 (pfsense 2.3.2 packages):
http://ift.tt/266RAbk
2ea7c6fdd55ffd20
http://ift.tt/1YvFy92
d3f9bed7c2f7585f
RELENG_2_3_0 (pfSense 2.3_x packages):
http://ift.tt/266Sl45
0de881655958f1f3
http://ift.tt/1YvFpT4
eadc9b50ea5b8d52
X. LEGAL NOTICES
- -------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XI. ABOUT
- -------------------------
Remco Sprooten
Security Consultant
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXYzAjAAoJEMAbBFdxLTwF2jUQAKAtkzMaeK0svql8mWx4dcyC
CJaNe1tiYfjl9tIv7ywSFzGh3Bq7WdcxiOVgDEj+0Co5+H8B2+EslezJg6636BMP
svOq57xpEo7qMqnnRGpJAI1Ytyky+nUI+aSr472vuuwEFiXg7rmJx2UsfFPcoQDG
YgfUtLwrYdkLatq5RBX38Q3I6KWHFNgflcp7RHvbi+3/CcOYzBkYhoQRm7faZIgN
n74ymI2+PFq3pvhLnOLRtKLftVro5n0XmK/ADFVIcC7Mw1gOalvREkCi0He8dYoE
mdr9oPNESKFcVadFgrJiO/KTdcc+DwYuU+p+yYF7pMGvLLEGUQJPdIcfd2n5AS1D
4Y8kdmIOJPmzCWsWJ8LZRu/kLy3H/jaDZlBkhOElbQk2Z+h0KxeCNDeatxtopGpn
jizuDqrhTrBw3prQRWn/zvCeuuA/EFtVrMFcL0k04ilHa+543m9abXshKQss8S89
eUvsDQNgz4hWPw46Ptp2NBpUwyrci2QW8mZG1iKvjrycW7GVN80dfs+sdf5EcJuX
DYJQ7qAyIDnUBOQgcEvzRnn+oD7JlvCqFhKfASlK8S9BlzSD9qAJydh8sfliaH0r
LnUOJd3ucBqM5OrscHPnrMD7siXsy54ZEMiAVZP/D6H29uNL1QmEN/fr4uUjpaZC
N1qM2bqWy4u471A2GKN8
=ih9y
-----END PGP SIGNATURE-----
[ reply ]