Squid Cache vulnerability
6.4
Medium
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Squid Cache vulnerability
Code name
State
Published
Affected product
Squid Cache
Vulnerability name
Double-Free/Arbitrary code execution
Vulnerability type
Remotely exploitable
No
CVSS v3.1 vector string
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS v3.1 base score
6.4
Exploit available
Yes
CVE ID(s)
Pending
Description
A Double-Free bug was found in Squid versions up to 4.14 and 5.0.5 when processing the acl directive on configuration files, more specifically the first and second addresses.
This may allow arbitrary code execution on a Squid deployment on where the configuration files may be processed from untrusted sources.
Proof of Concept
Create a file with the following contents: heap.conf
Run squid as:
These are the values of the CPU registers at the moment of the crash
$rax : 0x4141414141414141 ("AAAAAAAA"?)
$rbx : 0x0000555555c77f60 → 0x0000000900000009
$rcx : 0x0000555555dcd010 → 0x0003000200010004
$rdx : 0x39
$rsp : 0x00007fffffffe3c8 → 0x00005555558c4f93 →
<acl_ip_data::FactoryParse(char+0> call 0x555555709d10 <_Z13self_destructv>
$rbp : 0x0000555555e18da0 →
"1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
$rsi : 0x0000555555e15e80 → 0x0000000000000000
$rdi : 0x4141414141414141 ("AAAAAAAA"?)
$rip : 0x0000555555af55e0 → <Mem::AllocatorProxy::freeOne(void*)+16>
mov rax, QWORD PTR [rax]
$r8 : 0x0
$r9 : 0x3b4
$r10 : 0x0000555555e19120 → 0x0000000000000000
$r11 : 0x246
$r12 : 0x0
$r13 : 0x0000555555d67aa0 →
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
$r14 : 0x0000555555e0a220 → 0x0000555555c49f98 → 0x00007ffff787ef20
→ <std::__cxx11::basic_ostringstream<char,+0> mov rax, QWORD PTR
[rip+0x9e619] # 0x7ffff791d540
$r15 : 0x00007fffffffe450 → 0x0000555555b37e3e → "FactoryParse"
$eflags: [zero carry PARITY adjust sign trap INTERRUPT direction overflow
RESUME virtualx86 identification]
$rax : 0x4141414141414141 ("AAAAAAAA"?)
$rbx : 0x0000555555c77f60 → 0x0000000900000009
$rcx : 0x0000555555dcd010 → 0x0003000200010004
$rdx : 0x39
$rsp : 0x00007fffffffe3c8 → 0x00005555558c4f93 →
<acl_ip_data::FactoryParse(char+0> call 0x555555709d10 <_Z13self_destructv>
$rbp : 0x0000555555e18da0 →
"1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
$rsi : 0x0000555555e15e80 → 0x0000000000000000
$rdi : 0x4141414141414141 ("AAAAAAAA"?)
$rip : 0x0000555555af55e0 → <Mem::AllocatorProxy::freeOne(void*)+16>
mov rax, QWORD PTR [rax]
$r8 : 0x0
$r9 : 0x3b4
$r10 : 0x0000555555e19120 → 0x0000000000000000
$r11 : 0x246
$r12 : 0x0
$r13 : 0x0000555555d67aa0 →
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
$r14 : 0x0000555555e0a220 → 0x0000555555c49f98 → 0x00007ffff787ef20
→ <std::__cxx11::basic_ostringstream<char,+0> mov rax, QWORD PTR
[rip+0x9e619] # 0x7ffff791d540
$r15 : 0x00007fffffffe450 → 0x0000555555b37e3e → "FactoryParse"
$eflags: [zero carry PARITY adjust sign trap INTERRUPT direction overflow
RESUME virtualx86 identification]
$rax : 0x4141414141414141 ("AAAAAAAA"?)
$rbx : 0x0000555555c77f60 → 0x0000000900000009
$rcx : 0x0000555555dcd010 → 0x0003000200010004
$rdx : 0x39
$rsp : 0x00007fffffffe3c8 → 0x00005555558c4f93 →
<acl_ip_data::FactoryParse(char+0> call 0x555555709d10 <_Z13self_destructv>
$rbp : 0x0000555555e18da0 →
"1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
$rsi : 0x0000555555e15e80 → 0x0000000000000000
$rdi : 0x4141414141414141 ("AAAAAAAA"?)
$rip : 0x0000555555af55e0 → <Mem::AllocatorProxy::freeOne(void*)+16>
mov rax, QWORD PTR [rax]
$r8 : 0x0
$r9 : 0x3b4
$r10 : 0x0000555555e19120 → 0x0000000000000000
$r11 : 0x246
$r12 : 0x0
$r13 : 0x0000555555d67aa0 →
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
$r14 : 0x0000555555e0a220 → 0x0000555555c49f98 → 0x00007ffff787ef20
→ <std::__cxx11::basic_ostringstream<char,+0> mov rax, QWORD PTR
[rip+0x9e619] # 0x7ffff791d540
$r15 : 0x00007fffffffe450 → 0x0000555555b37e3e → "FactoryParse"
$eflags: [zero carry PARITY adjust sign trap INTERRUPT direction overflow
RESUME virtualx86 identification]
$rax : 0x4141414141414141 ("AAAAAAAA"?)
$rbx : 0x0000555555c77f60 → 0x0000000900000009
$rcx : 0x0000555555dcd010 → 0x0003000200010004
$rdx : 0x39
$rsp : 0x00007fffffffe3c8 → 0x00005555558c4f93 →
<acl_ip_data::FactoryParse(char+0> call 0x555555709d10 <_Z13self_destructv>
$rbp : 0x0000555555e18da0 →
"1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
$rsi : 0x0000555555e15e80 → 0x0000000000000000
$rdi : 0x4141414141414141 ("AAAAAAAA"?)
$rip : 0x0000555555af55e0 → <Mem::AllocatorProxy::freeOne(void*)+16>
mov rax, QWORD PTR [rax]
$r8 : 0x0
$r9 : 0x3b4
$r10 : 0x0000555555e19120 → 0x0000000000000000
$r11 : 0x246
$r12 : 0x0
$r13 : 0x0000555555d67aa0 →
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
$r14 : 0x0000555555e0a220 → 0x0000555555c49f98 → 0x00007ffff787ef20
→ <std::__cxx11::basic_ostringstream<char,+0> mov rax, QWORD PTR
[rip+0x9e619] # 0x7ffff791d540
$r15 : 0x00007fffffffe450 → 0x0000555555b37e3e → "FactoryParse"
$eflags: [zero carry PARITY adjust sign trap INTERRUPT direction overflow
RESUME virtualx86 identification]
And the execution stops at:
0x555555af55d9 <Mem::AllocatorProxy::freeOne(void*)+9> mov rsi, rbp 0x555555af55dc <Mem::AllocatorProxy::freeOne(void*)+12> pop rbp 0x555555af55dd <Mem::AllocatorProxy::freeOne(void*)+13> mov rdi, rax → 0x555555af55e0 <Mem::AllocatorProxy::freeOne(void*)+16> mov rax,QWORD PTR [rax] 0x555555af55e3 <Mem::AllocatorProxy::freeOne(void*)+19> mov rax,QWORD PTR [rax+0x28] 0x555555af55e7 <Mem::AllocatorProxy::freeOne(void*)+23> jmp rax 0x555555af55e9 nop 0x555555af55ea nop WORD PTR [rax+rax*1+0x0] 0x555555af55f0 <Mem::AllocatorProxy::inUseCount()+0> mov rdi, QWORD PTR [rdi+0x10]
0x555555af55d9 <Mem::AllocatorProxy::freeOne(void*)+9> mov rsi, rbp 0x555555af55dc <Mem::AllocatorProxy::freeOne(void*)+12> pop rbp 0x555555af55dd <Mem::AllocatorProxy::freeOne(void*)+13> mov rdi, rax → 0x555555af55e0 <Mem::AllocatorProxy::freeOne(void*)+16> mov rax,QWORD PTR [rax] 0x555555af55e3 <Mem::AllocatorProxy::freeOne(void*)+19> mov rax,QWORD PTR [rax+0x28] 0x555555af55e7 <Mem::AllocatorProxy::freeOne(void*)+23> jmp rax 0x555555af55e9 nop 0x555555af55ea nop WORD PTR [rax+rax*1+0x0] 0x555555af55f0 <Mem::AllocatorProxy::inUseCount()+0> mov rdi, QWORD PTR [rdi+0x10]
0x555555af55d9 <Mem::AllocatorProxy::freeOne(void*)+9> mov rsi, rbp 0x555555af55dc <Mem::AllocatorProxy::freeOne(void*)+12> pop rbp 0x555555af55dd <Mem::AllocatorProxy::freeOne(void*)+13> mov rdi, rax → 0x555555af55e0 <Mem::AllocatorProxy::freeOne(void*)+16> mov rax,QWORD PTR [rax] 0x555555af55e3 <Mem::AllocatorProxy::freeOne(void*)+19> mov rax,QWORD PTR [rax+0x28] 0x555555af55e7 <Mem::AllocatorProxy::freeOne(void*)+23> jmp rax 0x555555af55e9 nop 0x555555af55ea nop WORD PTR [rax+rax*1+0x0] 0x555555af55f0 <Mem::AllocatorProxy::inUseCount()+0> mov rdi, QWORD PTR [rdi+0x10]
0x555555af55d9 <Mem::AllocatorProxy::freeOne(void*)+9> mov rsi, rbp 0x555555af55dc <Mem::AllocatorProxy::freeOne(void*)+12> pop rbp 0x555555af55dd <Mem::AllocatorProxy::freeOne(void*)+13> mov rdi, rax → 0x555555af55e0 <Mem::AllocatorProxy::freeOne(void*)+16> mov rax,QWORD PTR [rax] 0x555555af55e3 <Mem::AllocatorProxy::freeOne(void*)+19> mov rax,QWORD PTR [rax+0x28] 0x555555af55e7 <Mem::AllocatorProxy::freeOne(void*)+23> jmp rax 0x555555af55e9 nop 0x555555af55ea nop WORD PTR [rax+rax*1+0x0] 0x555555af55f0 <Mem::AllocatorProxy::inUseCount()+0> mov rdi, QWORD PTR [rdi+0x10]
As the value of RAX is populated using the malicious input configuration, arbitrary command execution is achieved at 0x555555af55e7.
Mitigation
By 2021-03-17 there is not a patch resolving the issue.
References
Vendor page http://www.squid-cache.org/
Full Disclosure announcement https://seclists.org/fulldisclosure/2021/Feb/80
Timeline
Feb 8, 2021
Vulnerability discovered
Feb 9, 2021
Vendor contacted
Feb 10, 2021
Vendor replied
Feb 22, 2021
Vendor requested re-testing
Feb 22, 2021
Follow-up with vendor
Feb 24, 2021
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.
Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.
Get an AI summary of Fluid Attacks
Targets
Subscribe to our newsletter
Stay updated on our upcoming events and latest blog posts, advisories and other engaging resources.
© 2026 Fluid Attacks. We hack your software.
Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.
Targets
Subscribe to our newsletter
Stay updated on our upcoming events and latest blog posts, advisories and other engaging resources.
Get an AI summary of Fluid Attacks
© 2026 Fluid Attacks. We hack your software.
Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.
Targets
Subscribe to our newsletter
Stay updated on our upcoming events and latest blog posts, advisories and other engaging resources.
Get an AI summary of Fluid Attacks
© 2026 Fluid Attacks. We hack your software.
Meet us at RSA Conference™ 2026 at booth N-4614! Book a demo on-site.
Meet us at RSA Conference™ 2026 at booth N-4614! Book a demo on-site.
Meet us at RSA Conference™ 2026 at booth N-4614! Book a demo on-site.