Vigil@nce: Squid, denial of service via the HTTP version
February 2009 by Marc Jacob
SYNTHESIS OF THE VULNERABILITY
A malicious web server can return a special HTTP version in order
to create a denial of service in Squid.
Gravity: 2/4
Consequences: denial of service of service
Provenance: intranet server
Means of attack: 2 attacks
Ability of attacker: beginner (1/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 04/02/2009
IMPACTED PRODUCTS
– Mandriva Linux
– Squid cache
DESCRIPTION OF THE VULNERABILITY
An HTTP reply starts by a line like:
HTTP/version code message
For example:
HTTP/1.0 200 OK
The httpParserParseReqLine() function of the src/HttpMsg.cc file
analyzes the line and decodes the version number as a major number
(1) and a minor number (0).
However, this function contains two asserts which stop Squid when
the major or minor version number is -1. Moreover, the unsigned
version number is stored in a signed integer.
A malicious web server can therefore return a special HTTP version
in order to create a denial of service in Squid.
CHARACTERISTICS
Identifiers: BID-33604, CVE-2009-0478, MDVSA-2009:034,
SQUID-2009:1, VIGILANCE-VUL-8442
http://vigilance.fr/vulnerability/Squid-denial-of-service-via-the-HTTP-version-8442