Bug 207901

Summary:

www/squid Host header forgery detection with sslbump leads to crash

Product:

Ports & Packages

Reporter:

Christophe Anselme-Moizan <christophe.anselmemoizan>

Component:

Individual Port(s)

Assignee:

Jason Unovitch <junovitch>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

fabrice.bruel, junovitch, pi, timp87

Priority:

---

Keywords:

needs-qa, patch

Version:

Latest

Flags:

pi: maintainer-feedback+
junovitch: merge-quarterly+

Hardware:

amd64

OS:

Any

Attachments:

Description	Flags
port patch	none
port patch	none
poudriere log	none
port patch up to 14031	timp87: maintainer-approval+
poudriere log	none

Description Christophe Anselme-Moizan 2016-03-11 10:43:24 UTC

Hello,

I fall into a bug when trying sslbump configuration on FreeBSD 10.
It seems that Host header forgery detection leads to a fatal segment violation.

When accessing several times

https://www.google.fr/search?q=test&biw=1920&bih=953&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjI1vayuLjLAhUBVhoKHeJIB0gQ_AUIBygC

forged header is detected and child dies.
After several times all squid processes have died.

Here's /var/log/squid/cache.log :

2016/03/11 11:35:34.503 kid1| SECURITY ALERT: Host header forgery detected on local=172.217.19.142:443 remote=10.0.0.2:51113 FD 11 flags=33 (local IP does not match any domain IP)
FATAL: Received Segment Violation...dying.
Backtrace follows (deepest frame first):
#1: swapcontext + 0x15a, ip = 0x803dcb47a, sp = 0x7fffffffcdb0
#2: _sigaction + 0x342, ip = 0x803dcb062, sp = 0x7fffffffd170
#3: [unknown] + 0x0, ip = 0x7ffffffff003, sp = 0x7fffffffd1f0
#4: strlen + 0xb, ip = 0x804121f8b, sp = 0x7fffffffd7a0
#5: _ZNSt3__1lsINS_11char_traitsIcEEEERNS_13basic_ostreamIcT_EES6_PKc + 0x7b, ip = 0x56308b, sp = 0x7fffffffd7b0
#6: _ZN20ClientRequestContext22hostHeaderVerifyFailedEPKcS1_ + 0x58f, ip = 0x60ad0f, sp = 0x7fffffffd960
#7: _ZN20ClientRequestContext18hostHeaderIpVerifyEPK14_ipcache_addrsRK16DnsLookupDetails + 0x8eb, ip = 0x60a6cb, sp = 0x7fffffffdb30
#8: _ZL25hostHeaderIpVerifyWrapperPK14_ipcache_addrsRK16DnsLookupDetailsPv + 0x2d, ip = 0x60c7cd, sp = 0x7fffffffdd80
#9: _ZL15ipcacheCallbackP13ipcache_entryi + 0x121, ip = 0x6e5141, sp = 0x7fffffffddb0
#10: _ZL18ipcacheHandleReplyPvPK11_rfc1035_rriPKc + 0xad, ip = 0x6e52dd, sp = 0x7fffffffde50
#11: _ZL12idnsCallbackP11_idns_queryPKc + 0x785, ip = 0x643365, sp = 0x7fffffffde90
#12: _ZL13idnsGrokReplyPKcmi + 0x1366, ip = 0x6461a6, sp = 0x7fffffffdfa0
#13: _ZL8idnsReadiPv + 0xd9a, ip = 0x63e02a, sp = 0x7fffffffe1f0
#14: _ZN4Comm8DoSelectEi + 0x225, ip = 0x966235, sp = 0x7fffffffe560
#15: _ZN16CommSelectEngine11checkEventsEi + 0x44, ip = 0x871fb4, sp = 0x7fffffffe5f0
#16: _ZN9EventLoop11checkEngineEP11AsyncEngineb + 0x5a, ip = 0x65205a, sp = 0x7fffffffe630
#17: _ZN9EventLoop7runOnceEv + 0x29f, ip = 0x65266f, sp = 0x7fffffffe690
#18: _ZN9EventLoop3runEv + 0x5f, ip = 0x65239f, sp = 0x7fffffffe7c0
#19: _Z9SquidMainiPPc + 0xe68, ip = 0x6eb1a8, sp = 0x7fffffffe7e0
#20: _ZL13SquidMainSafeiPPc + 0x1a, ip = 0x6e9eea, sp = 0x7fffffffea80
#21: main + 0x22, ip = 0x6e9ec2, sp = 0x7fffffffebc0
#22: _start + 0x16f, ip = 0x5586cf, sp = 0x7fffffffebe0
#23: [unknown] + 0x0, ip = 0x800e34000, sp = 0x7fffffffec20
Use addr2line of similar to translate offsets to line information.
CPU Usage: 0.151 seconds = 0.100 user + 0.050 sys
Maximum Resident Size: 101264 KB
Page faults with physical i/o: 0
--------------------------------------------------------------------------------
# uname -a
FreeBSD VNF-SSLBump 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014     root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
-------------------------------------------------------------------------------
# pkg info squid
squid-3.5.15
Name           : squid
Version        : 3.5.15
Installed on   : Fri Mar 11 10:32:56 2016 CET
Origin         : www/squid
Architecture   : freebsd:10:x86:64
Prefix         : /usr/local
Categories     : ipv6 www
Licenses       : GPLv2
Maintainer     : timp87@gmail.com
WWW            : http://www.squid-cache.org/
Comment        : HTTP Caching Proxy
Options        :
        ARP_ACL        : off
        AUTH_LDAP      : on
        AUTH_NIS       : on
        AUTH_SASL      : off
        AUTH_SMB       : off
        AUTH_SQL       : off
        CACHE_DIGESTS  : off
        DEBUG          : on
        DELAY_POOLS    : off
        DOCS           : on
        ECAP           : on
        ESI            : off
        EXAMPLES       : on
        FOLLOW_XFF     : off
        FS_AUFS        : on
        FS_DISKD       : on
        FS_ROCK        : off
        GSSAPI_BASE    : on
        GSSAPI_HEIMDAL : off
        GSSAPI_MIT     : off
        GSSAPI_NONE    : off
        HTCP           : on
        ICAP           : on
        ICMP           : off
        IDENT          : on
        IPV6           : on
        KQUEUE         : on
        LARGEFILE      : off
        LAX_HTTP       : off
        NETTLE         : off
        SNMP           : on
        SSL            : on
        SSL_CRTD       : on
        STACKTRACES    : on
        TP_IPF         : off
        TP_IPFW        : off
        TP_PF          : on
        VIA_DB         : off
        WCCP           : on
        WCCPV2         : off
Shared Libs required:
        liblber-2.4.so.2
        libecap.so.3
        libunwind.so.8
        libldap-2.4.so.2
Annotations    :
        cpe            : cpe:2.3:a:squid-cache:squid:3.5.15:::::freebsd10:x64
Flat size      : 40.2MiB
Description    :
Squid is a fully-featured HTTP/1.0 proxy which is almost (but not quite)
HTTP/1.1 compliant. Squid offers a rich access control, authorization and
logging environment to develop web proxy and content serving applications.

WWW: http://www.squid-cache.org/
------------------------------------------------------------------------------
# cat /usr/local/etc/squid/squid.conf

#
# Recommended minimum configuration:
#

visible_hostname VNF-SSLBump

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
#https_port 3130 intercept ssl-bump  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/etc/squid/ssl/squid.pem
https_port 3130 intercept ssl-bump cert=/usr/local/etc/squid/ssl/squid.pem

always_direct allow all

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl banned ssl::server_name .fnac.com
acl banned ssl::server_name .fnac.fr


ssl_bump peek step1 all
ssl_bump terminate banned
ssl_bump splice all

#ssl_bump bump all

sslproxy_cafile /usr/local/etc/squid/cabundle.crt

url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squid/squidGuard.conf
url_rewrite_children 10 startup=4 idle=2 concurrency=0

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
-------------------------------------------------------------------------------

Thanks for your help
Best Regards
Christophe

Comment 1 Pavel Timofeev 2016-03-11 11:48:52 UTC

(In reply to Christophe Anselme-Moizan from comment #0)
I'm sorry, but I think squid's bugzilla (http://bugs.squid-cache.org/index.cgi) is a better place to report this issue.

Comment 2 Pavel Timofeev 2016-03-14 08:18:25 UTC

(In reply to Christophe Anselme-Moizan from comment #0)
You could try the patch from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207762 at least.

Comment 3 Christophe Anselme-Moizan 2016-03-14 08:37:01 UTC

I posted on squid's bugzilla too after your comment.
I will try the patch today.

Comment 4 Christophe Anselme-Moizan 2016-03-14 15:27:08 UTC

(In reply to timp87 from comment #2)

Thanks you for your help.
The patch didn't resolve my problem. I'm still facing the same issue.

I'm waiting for squid's bugzilla feedback and will let you know

Comment 5 Pavel Timofeev 2016-03-14 15:40:52 UTC

(In reply to Christophe Anselme-Moizan from comment #4)
You could provide the link to squid's bugzilla

Comment 6 Christophe Anselme-Moizan 2016-03-14 15:49:54 UTC

(In reply to timp87 from comment #5)

http://bugs.squid-cache.org/show_bug.cgi?id=4465

Comment 7 Christophe Anselme-Moizan 2016-03-17 09:57:34 UTC

I tried with STABLE, rather than RELEASE, same problem

[root@FBSD10STABLE ~]# uname -a
FreeBSD FBSD10STABLE 10.3-BETA2 FreeBSD 10.3-BETA2 #0 r295624: Mon Feb 15 15:49:00 CET 2016     root@aa:/usr/obj/usr/src/sys/FBSD10PF  amd64


2016/03/17 10:17:23.173 kid1| SECURITY ALERT: Host header forgery detected on local=80.252.91.41:443 remote=10.0.0.2:58678 FD 55 flags=33 (local IP does not match any domain IP)
FATAL: Received Segment Violation...dying.
Backtrace follows (deepest frame first):
#1: _pthread_sigmask + 0x51a, ip = 0x803b20b4a, sp = 0x7fffffffda70
#2: _pthread_getspecific + 0xe1c, ip = 0x803b2022c, sp = 0x7fffffffde30
#3: [unknown] + 0x0, ip = 0x7ffffffff193, sp = 0x7fffffffdeb0
#4: strlen + 0xb, ip = 0x803e7a3ab, sp = 0x7fffffffe460
#5: _ZN20ClientRequestContext22hostHeaderVerifyFailedEPKcS1_ + 0x2fe, ip = 0x571eee, sp = 0x7fffffffe470
#6: _ZN20ClientRequestContext18hostHeaderIpVerifyEPK14_ipcache_addrsRK16DnsLookupDetails + 0x3f7, ip = 0x571987, sp = 0x7fffffffe4f0
#7: _ZL15ipcacheCallbackP13ipcache_entryi + 0xc3, ip = 0x5fa6d3, sp = 0x7fffffffe5b0
#8: _ZL18ipcacheHandleReplyPvPK11_rfc1035_rriPKc + 0x1079, ip = 0x5fb7a9, sp = 0x7fffffffe620
#9: _ZL12idnsCallbackP11_idns_queryPKc + 0x5b9, ip = 0x590fa9, sp = 0x7fffffffe710
#10: _ZL13idnsGrokReplyPKcmi + 0xe47, ip = 0x5930f7, sp = 0x7fffffffe780
#11: _ZL8idnsReadiPv + 0x57d, ip = 0x58d2dd, sp = 0x7fffffffe7d0
#12: _ZN4Comm8DoSelectEi + 0x140, ip = 0x797ec0, sp = 0x7fffffffe8b0
#13: _ZN16CommSelectEngine11checkEventsEi + 0x2e, ip = 0x710f4e, sp = 0x7fffffffe900
#14: _ZN9EventLoop11checkEngineEP11AsyncEngineb + 0x2c, ip = 0x59a30c, sp = 0x7fffffffe920
#15: _ZN9EventLoop7runOnceEv + 0xa6, ip = 0x59a5e6, sp = 0x7fffffffe960
#16: _ZN9EventLoop3runEv + 0x48, ip = 0x59a528, sp = 0x7fffffffe9a0
#17: _Z9SquidMainiPPc + 0x26ad, ip = 0x600aad, sp = 0x7fffffffe9c0
#18: main + 0x14, ip = 0x5fe164, sp = 0x7fffffffec70
#19: _start + 0x16f, ip = 0x503d9f, sp = 0x7fffffffecb0
#20: [unknown] + 0x0, ip = 0x800b89000, sp = 0x7fffffffecf0
Use addr2line of similar to translate offsets to line information.
CPU Usage: 33.255 seconds = 31.437 user + 1.818 sys
Maximum Resident Size: 550688 KB
Page faults with physical i/o: 28

Comment 8 Jason Unovitch freebsd_committer

2016-04-10 00:47:51 UTC

The patch referenced in the URL (the take 2 patch) doesn't appear to be reflected in http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.16.patch for the most recent release.  Is this still needed to resolve the issue or can we ask upstream to get this in and release a 3.5.17?

Comment 9 Pavel Timofeev 2016-04-11 06:36:23 UTC

(In reply to Jason Unovitch from comment #8)
Let's wait for a couple of days. I think they'll officially apply it for 3.5 soon.

Comment 10 Pavel Timofeev 2016-04-18 05:31:19 UTC

Created attachment 169422 [details]
port patch

Add all available patches, including that one which fixes 'Host header forgery detection with sslbump' problem.
Exclude squid-3.5-14026.patch because looks like it's not appropriate for 3.5

Comment 11 Pavel Timofeev 2016-04-18 16:34:14 UTC

(In reply to timp87 from comment #10)
Sorry, don't commit it, I'm going to provide a better patch

Comment 12 Pavel Timofeev 2016-04-19 13:25:56 UTC

Created attachment 169468 [details]
port patch

1. Add all available official patches up to 14030. One of these patches fixes 'header forgery detection with sslbump' problem.
2. Also add 14626 patch from squid4 which addresses "Add chained certificates and signing certificate to peek-then-bumped connections." problem.

Comment 13 Pavel Timofeev 2016-04-19 13:34:55 UTC

Created attachment 169469 [details]
poudriere log

Comment 14 Pavel Timofeev 2016-04-19 13:35:17 UTC

Ok, now it can be committed.

Comment 15 Pavel Timofeev 2016-04-20 05:15:50 UTC

Created attachment 169481 [details]
port patch up to 14031

Add all available official patches up to 14031.
It fixes two annoying and long-standing problems:
- header forgery detection leads to crash;
- add chained certificates and signing certificate to peek-then-bumped connections.

Comment 16 Pavel Timofeev 2016-04-20 05:35:03 UTC

Created attachment 169482 [details]
poudriere log

I suppose this change should go to quarter branch too.

Comment 17 Kurt Jaeger freebsd_committer

2016-04-20 12:43:09 UTC

testbuilds@work

Comment 18 Pavel Timofeev 2016-04-20 12:55:27 UTC

Sorry, every time I have different problems with maintainer-approval flag =)

Comment 19 Kurt Jaeger freebsd_committer

2016-04-20 13:42:58 UTC

testbuilds are fine

Comment 20 commit-hook freebsd_committer

2016-04-20 13:45:34 UTC

A commit references this bug:

Author: pi
Date: Wed Apr 20 13:45:23 UTC 2016
New revision: 413688
URL: https://svnweb.freebsd.org/changeset/ports/413688

Log:
  www/squid: Add all available official patches up to 14031

  It fixes two annoying and long-standing problems:
  - header forgery detection (using sslbump) leads to crash
  - add chained certificates and signing certificate to
    peek-then-bumped connections.

  PR:		207901
  MFH:		2016Q2
  Submitted by:	Pavel Timofeev <timp87@gmail.com> (maintainer)
  Reported by:	Christophe Anselme-Moizan <christophe.anselmemoizan@orange.com>

Changes:
  head/www/squid/Makefile
  head/www/squid/distinfo
  head/www/squid/files/patch-src__ip__Intercept.cc

Comment 21 Kurt Jaeger freebsd_committer

2016-04-20 13:49:04 UTC

Jason, you know my mfh handicap...

Comment 22 Pavel Timofeev 2016-04-20 18:12:39 UTC

(In reply to Kurt Jaeger from comment #21)
Don't waste your time for this, they've just released 3.5.17 with CVE.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208939
Good help us :)

Comment 23 Kurt Jaeger freebsd_committer

2016-04-20 18:21:44 UTC

MFH is obsolete, new version was released.

Comment 24 commit-hook freebsd_committer

2016-04-21 07:44:54 UTC

A commit references this bug:

Author: pi
Date: Thu Apr 21 07:44:45 UTC 2016
New revision: 413719
URL: https://svnweb.freebsd.org/changeset/ports/413719

Log:
  MFH: r413688 r413697

  www/squid: Add all available official patches up to 14031

  It fixes two annoying and long-standing problems:
  - header forgery detection (using sslbump) leads to crash
  - add chained certificates and signing certificate to
    peek-then-bumped connections.

  PR:		207901
  Submitted by:	Pavel Timofeev <timp87@gmail.com> (maintainer)
  Reported by:	Christophe Anselme-Moizan <christophe.anselmemoizan@orange.com>

  www/squid: 3.5.16 -> 3.5.17

  Changes:
    http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID_3_5_17.html
    http://www.squid-cache.org/Advisories/SQUID-2016_5.txt

  PR:		208939
  Submitted by:	Pavel Timofeev <timp87@gmail.com> (maintainer)
  Security:	CVE-2016-4052, CVE-2016-4053, CVE-2016-4054

  Approved by:	ports-secteam (junovitch)

Changes:
_U  branches/2016Q2/
  branches/2016Q2/www/squid/Makefile
  branches/2016Q2/www/squid/distinfo
  branches/2016Q2/www/squid/files/patch-src__ip__Intercept.cc

Comment 25 Jason Unovitch freebsd_committer

2016-04-22 01:44:54 UTC

Set merge-quarterly+ appropriately.

Kurt, thanks for taking this.  I have been sidetracked with work quite a bit lately.