Dear fulldisclosure,
Two and a half years ago an independent audit was performed on The Squid
Caching Proxy, which ultimately resulted in 55 vulnerabilities being
discovered in the project's C++ source code.
Although some of the issues have been fixed, the majority (35) remain
valid. The majority have not been assigned CVEs, and no patches or
workarounds are available. Some of the listed issues concern more than one
bug, which is why 45 issues are listed, despite there being 55
vulnerabilities in total (10 extra of the result of similar, but different
pathways to reproduce a vulnerability).
After two and a half years of waiting, I have decided to release the issues
publicly. The Squid Project is aware of this release.
The issues are listed below. Due to the sheer size of issues discovered,
technical details are not included in this email. However, breakdowns of
the code and proof-of-concepts can be found on GitHub:
https://megamansec.github.io/Squid-Security-Audit/
----
Stack Buffer Overflow in Digest Authentication
Use-After-Free in TRACE Requests
Partial Content Parsing Use-After-Free CVE-2021-31807
X-Forwarded-For Stack Overflow
Chunked Encoding Stack Overflow
Use-After-Free in Cache Manager Errors
Cache Poisoning by Large Stored Response Headers (With Bonus XSS)
Memory Leak in CacheManager URI Parsing CVE-2021-28652
RFC 2141 / 2169 (URN) Response Parsing Memory Leak CVE-2021-28651
Memory Leak in HTTP Response Parsing
Memory Leak in ESI Error Processing
1-Byte Buffer OverRead in RFC 1123 date/time Handling
Null Pointer Dereference in Gopher Response Handling GHSA-cg5h-v6vc-w33f
One-Byte Buffer OverRead in HTTP Request Header Parsing
strlen(NULL) Crash Using Digest Authentication
Assertion in ESI Header Handling
Integer Overflow in Range Header CVE-2021-31808
Gopher Assertion Crash
Whois Assertion Crash
Assertion in Gopher Response Handling
RFC 2141 / 2169 (URN) Assertion Crash
Vary: Other HTTP Response Assertion Crash CVE-2021-28662
Assertion in Negotiate/NTLM Authentication Using Pipeline Prefetching
Assertion on IPv6 Host Requests with –disable-ipv6
Assertion Crash on Unexpected “HTTP/1.1 100 Continue” Response Header
Pipeline Prefetch Assertion With Double ‘Expect:100-continue’ Request
Headers
Pipeline Prefetch Assertion With Invalid Headers
Assertion Crash in Deferred Requests
Assertion in Digest Authentication
FTP URI Assertion
FTP Authentication Crash
Unsatisfiable Range Requests Assertion CVE-2021-31806
Crash in Content-Range Response Header Logic CVE-2021-33620
Assertion Crash In HTTP Response Headers Handling
Implicit Assertion in Stream Handling
Buffer UnderRead in SSL CN Parsing
Use-After-Free in ESI ‘Try’ (and ‘Choose’) Processing
Use-After-Free in ESI Expression Evaluation
Buffer Underflow in ESI
Assertion in Squid “Helper” Process Creator
Assertion Due to 0 ESI ‘when’ Checking
Assertion Using ESI’s When Directive
Assertion in ESI Variable Assignment (String)
Assertion in ESI Variable Assignment
Null Pointer Dereference In ESI’s esi:include and esi:when
----
Cheers,
Josh