[jira] [Commented] (TS-2954) cache poisoning due to proxy.config.http.use_client_target_addr = 1

[Nikolai Gorchilov (JIRA)]

    [ 
https://issues.apache.org/jira/browse/TS-2954?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14079037#comment-14079037
 ] 

Nikolai Gorchilov commented on TS-2954:
---------------------------------------

[~shinrich], unfortunately it doesn't work for me, at least against 5.0.1 
tarballs.

proxy.config.http.use_client_target_addr = 2

Poisoning requests for http://i.ytimg.com/vi_webp/6eKYsYUlGB8/mqdefault.webp 
via wget -qSO/dev/null --header="Host: i.ytimg.com" 
http://91.239.13.61/vi_webp/6eKYsYUlGB8/mqdefault.webp

Here's the relevant http_trans log how the fake response gets cached, 
regardless of the invalid (91.239.13.61) IP of i.ytimg.com:

{noformat}
(http_trans) START HttpTransact::ModifyRequest
(http_trans) [ink_cluster_time] local: 1406705552, highest_delta: 0, cluster: 
1406705552
(http_trans) END HttpTransact::ModifyRequest
(http_trans) Checking if transaction wants to upgrade
(http_trans) Next action SM_ACTION_API_READ_REQUEST_HDR; 
HttpTransact::StartRemapRequest
(http_trans) START HttpTransact::StartRemapRequest
(http_trans) Before Remapping:
(http_trans) END HttpTransact::StartRemapRequest
(http_trans) Next action SM_ACTION_API_PRE_REMAP; HttpTransact::PerformRemap
(http_trans) Inside PerformRemap
(http_trans) Next action SM_ACTION_REMAP_REQUEST; HttpTransact::EndRemapRequest
(http_trans) START HttpTransact::EndRemapRequest
(http_trans) EndRemapRequest host is i.ytimg.com
(http_trans) After Remapping:
(http_trans) END HttpTransact::EndRemapRequest
(http_trans) Next action SM_ACTION_API_POST_REMAP; HttpTransact::HandleRequest
(http_trans) START HttpTransact::HandleRequest
(http_trans) [init_stat_vars_from_req] set req cont length to 0
(http_trans) [is_request_valid]no request header errors
(http_trans) [DecideCacheLookup] Will do cache lookup.
(http_trans) Next action SM_ACTION_CACHE_LOOKUP; __null
(http_trans) [HttpTransact::HandleCacheOpenRead]
(http_trans) CacheOpenRead -- miss
(http_trans) Next action SM_ACTION_DNS_LOOKUP; OSDNSLookup
(http_trans) [HttpTransact::OSDNSLookup] This was attempt 1
(http_trans) [OSDNSLookup] DNS lookup for O.S. successful IP: 91.239.13.61
(http_trans) Next action SM_ACTION_API_OS_DNS; HandleCacheOpenReadMiss
(http_trans) [HandleCacheOpenReadMiss] --- MISS
(http_trans) [build_request] removing host name from url
(http_trans) [build_request] request like cacheable and conditional headers 
removed
(http_trans) [ink_cluster_time] local: 1406705552, highest_delta: 0, cluster: 
1406705552
(http_trans) [build_request] request_sent_time: 1406705552
(http_trans) Next action next; __null
(http_trans) [HttpTransact::HandleResponse]
(http_trans) [ink_cluster_time] local: 1406705552, highest_delta: 0, cluster: 
1406705552
(http_trans) [HandleResponse] response_received_time: 1406705552
(http_trans) [is_response_valid] No errors in response
(http_trans) [handle_response_from_server] (hrfs)
(http_trans) [hrfs] connection alive
(http_trans) [handle_forward_server_connection_open] (hfsco)
(http_trans) [hfsco] cache action: CACHE_DO_WRITE
(http_trans) [handle_cache_operation_on_forward_server_response] (hcoofsr)
(http_trans) [is_response_cacheable] client permits storing
(http_trans) [is_response_cacheable] YES by default 
(http_trans) [hcoofsr] response is cacheable
(http_trans) [hcoofsr] response code: 200
(http_trans) [hcoofsr] cache write
(http_trans) [handle_content_length_header] RESPONSE cont len in hdr is 5216
(http_trans) [Squid code generation] Hit/Miss: 49, Log: 51, Hier: 50
{noformat}


> cache poisoning due to proxy.config.http.use_client_target_addr = 1
> -------------------------------------------------------------------
>
>                 Key: TS-2954
>                 URL: https://issues.apache.org/jira/browse/TS-2954
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Cache, DNS, Security, TProxy
>            Reporter: Nikolai Gorchilov
>            Assignee: Susan Hinrichs
>            Priority: Critical
>             Fix For: 5.1.0
>
>         Attachments: ts-2954.patch
>
>
> Current implementation of proxy.config.http.use_client_target_addr opens a 
> very simple attack vector for cache poisoning in transparent forwarding mode.
> An attacker (or malware installed on innocent end-user computer) puts a fake 
> IP for popular website like www.google.com or www.facebook.com in hosts file 
> on PC behind the proxy. Once an infected PC requests the webpage in question, 
> a cacheable fake response poisons the cache.
> In order to prevent such scenarios (as well as [some 
> others|http://www.kb.cert.org/vuls/id/435052]) Squid have implemented a 
> mechanism known as [Host Header Forgery 
> Detection|http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery].
> In short, while requesting an URL from origin server IP as hinted by the 
> client, proxy makes independent DNS query in parallel in order to determine 
> if client supplied IP belongs to requested domain name. In case of 
> discrepancy between DNS and client IP, the transaction shall be flagged as 
> non-cacheable to avoid possible cache poisoning, while still serving the 
> origin response to the client.



--
This message was sent by Atlassian JIRA
(v6.2#6252)