Date: Wed, 03 Jul 2002 11:48:07 -0400 From: Mike Tancsa <mike@sentex.net> To: security@freebsd.org Subject: Fwd: NEC's socks5 (Re: Foundstone Advisory - Buffer Overflow in AnalogX Proxy (fwd)) Message-ID: <5.1.0.14.0.20020703114631.04f94d20@marble.sentex.ca>
next in thread | raw e-mail | index | archive | help
Has anyone run the socks5 daemon below as a chrooted and non privileged
user ? It binds to 1080, is there any reason it needs to even run as root ?
---Mike
>X-Virus-Scanned: By Sentex Communications (avscan2/20020220)
>
>Dear Dave Ahmad,
>
>Nearly same bugs exist in reference socks5 implementation by NEC. There
>are few different overflows, all look not exploitable in socks5v1.0r11,
>at least on majority of platforms due to specific data layout, but may
>be exploitable in earlier versions or in derived software. Examples:
>
>1. in SOCKS5 User-Name parsing:
>
>proxy.c:
>
>static int GetString(S5IOHandle fd, char *buf, double *timerm) {
> u_char len;
>
> buf[0] = '\0';
> if (S5IORecv(fd, NULL, (char *)&len, 1, 0, UPWD_IOFLAGS, timerm) !=
> 1) return -1;
> if (len == 0) return 0;
>
> if (S5IORecv(fd, NULL, buf, len, 0, UPWD_IOFLAGS, timerm) != len)
> return -1;
> buf[len] = '\0';
> return len;
>}
>
>problem is that target username buffer is 128 bytes.
>
>2. In SOCKS4 username parsing:
>
>proxy.c:
>
>static int HandleS4Connection(S5LinkInfo *pri, S5IOInfo *iio, list *auths,
>double *timerm) {
>...
> char buf[256+256+8],
>...
>
> for (tmp = buf, *tmp = '\0'; tmp < buf+sizeof(buf)-1; *++tmp = '\0') {
> if (S5IORecv(iio->fd, iio, tmp, 1, 0, PROXY_IOFLAGS, timerm) != 1) {
> S5LogUpdate(S5LogDefaultHandle, S5_LOG_DEBUG(0), 0, "Socks4:
> Read failed: %m");
> return EXIT_ERR;
> }
>
> if (*tmp == '\0') break;
> }
>
> S5LogUpdate(S5LogDefaultHandle, S5_LOG_DEBUG(10), 0, "Socks4: Read
> user: %s", buf);
>
> strcpy(pri->srcUser, buf);
>
>pri->srcUser is 128 bytes...
>
>3. in reading hostname
>
>struct sockaddr_name {
> unsigned short sn_family;
> unsigned short sn_port;
> char sn_name[255];
>};
>
>
>protocol.c:
> memcpy(result->sn.sn_name, buf+RP_HOSTOFF+1,
> (u_char)buf[RP_HOSTOFF]);
> memcpy(&result->sn.sn_port, buf+RP_HOSTOFF+1+buf[RP_HOSTOFF],
> sizeof(u_short));
> result->sn.sn_name[(int)(u_char)buf[RP_HOSTOFF]] = '\0';
>
>(off-by-one vuln).
>
>
>I've got no response from authors.
>
>
>--
>~/ZARAZA
>Особую проблему составляет алкоголизм. (Лем)
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20020703114631.04f94d20>