Popular ISP utility exposed to new cache poisoning attack. Squison is the name of a recently discovered security bug in the Squid proxy server, a popular Linux utility deployed by many Internet providers as a transparent and/or caching proxy.
At its roots, Squid is a proxy server that takes traffic from incoming ports and relays it to its destination by masking its IP address. In most cases, Squid is used in transparent mode and does not alter the origin IP address, merely relaying traffic.
The reason behind deploying Squid in such a manner is to gather more insights on Web traffic, but also for caching purposes. Small and large ISPs use this technique to speed up page loads by providing an already-cached Web page to their subscribers, but also for saving bandwidth.
For these reasons, unknown to many end users, at one point or another, much of their Web traffic passes through a Squid server.
Squison attack works only for HTTP traffic
According to Jianjun Chen, a postgraduate student at Tsinghua University, a vulnerability exists in Squid 3.5.12 up to 3.5.17 and all 4.x versions up to 4.0.9, which allows attackers to poison a Squid proxy server’s cache with malicious content.
The attack relies on the attacker being able to pass malicious traffic through the proxy and works only for HTTP connections.
The attacker must first access (through a Squid proxy) a site under their control, such as attack.com. The attack’s next stage moves to the attack.com server, where the crook then requests any site with the following command.
GET http://victim.com/ HTTP/1.1 Host: attack.com
“When it inspects the destination IP address for consistency, however, it mistakenly checks it against the value of the Host header, ‘attack.com’, rather than ‘vicitim.com,'” said Jianjun Chen. “Thus, the proxy directly passes the request to the ‘attack.com’ server, but caches the (malicious) reply the server returns as a resource of ‘victim.com’.”
This request leads to cache poisoning caused by inconsistent operation of route verification and cache modules.
Poisoning Web caches allows attackers to insert malicious content in the cached versions of websites considered secure and sometimes untouchable, such as Google, Facebook, or Twitter.
Squison cache poisoning attacks can be carried out via Flash ads
While this explanation might seem complicated, Chen says the attack is currently very easy to exploit in real-world scenarios because of the way the online advertising ecosystem works. A trivial Flash ad can be automated to carry out such attacks.
The Squid team released versions 4.0.10 and 3.5.18 to address this issue. Mitre has not yet assigned a CVE identifier to the Squison attack.
Proof-of-concept exploit code is available on GitHub while a video demonstration is available on Google Drive.