Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 03 Jul 2002 11:48:07 -0400
From:      Mike Tancsa <mike@sentex.net>
To:        security@freebsd.org
Subject:   Fwd: NEC's socks5 (Re: Foundstone Advisory - Buffer Overflow in AnalogX Proxy (fwd))
Message-ID:  <5.1.0.14.0.20020703114631.04f94d20@marble.sentex.ca>

next in thread | raw e-mail | index | archive | help

Has anyone run the socks5 daemon below as a chrooted and non privileged=20
user ?  It binds to 1080, is there any reason it needs to even run as root ?

         ---Mike



>X-Virus-Scanned: By Sentex Communications (avscan2/20020220)
>
>Dear Dave Ahmad,
>
>Nearly  same bugs exist in reference socks5 implementation by NEC. There
>are  few different overflows, all look not exploitable in socks5v1.0r11,
>at  least  on majority of platforms due to specific data layout, but may
>be exploitable in earlier versions or in derived software. Examples:
>
>1. in SOCKS5 User-Name parsing:
>
>proxy.c:
>
>static int GetString(S5IOHandle fd, char *buf, double *timerm) {
>     u_char len;
>
>     buf[0] =3D '\0';
>     if (S5IORecv(fd, NULL, (char *)&len, 1, 0, UPWD_IOFLAGS, timerm) !=3D=
=20
> 1) return -1;
>     if (len =3D=3D 0) return 0;
>
>     if (S5IORecv(fd, NULL, buf, len, 0, UPWD_IOFLAGS, timerm) !=3D len)=20
> return -1;
>     buf[len] =3D '\0';
>     return len;
>}
>
>problem is that target username buffer is 128 bytes.
>
>2. In SOCKS4 username parsing:
>
>proxy.c:
>
>static int HandleS4Connection(S5LinkInfo *pri, S5IOInfo *iio, list *auths,=
=20
>double *timerm) {
>...
>    char buf[256+256+8],
>...
>
>     for (tmp =3D buf, *tmp =3D '\0'; tmp < buf+sizeof(buf)-1; *++tmp =3D=
 '\0') {
>         if (S5IORecv(iio->fd, iio, tmp, 1, 0, PROXY_IOFLAGS, timerm) !=3D=
 1) {
>             S5LogUpdate(S5LogDefaultHandle, S5_LOG_DEBUG(0), 0, "Socks4:=
=20
> Read failed: %m");
>             return EXIT_ERR;
>         }
>
>         if (*tmp =3D=3D '\0') break;
>     }
>
>     S5LogUpdate(S5LogDefaultHandle, S5_LOG_DEBUG(10), 0, "Socks4: Read=20
> user: %s", buf);
>
>     strcpy(pri->srcUser, buf);
>
>pri->srcUser is 128 bytes...
>
>3. in reading hostname
>
>struct sockaddr_name {
>     unsigned short sn_family;
>     unsigned short sn_port;
>     char sn_name[255];
>};
>
>
>protocol.c:
>             memcpy(result->sn.sn_name,  buf+RP_HOSTOFF+1,=20
> (u_char)buf[RP_HOSTOFF]);
>             memcpy(&result->sn.sn_port, buf+RP_HOSTOFF+1+buf[RP_HOSTOFF],=
=20
> sizeof(u_short));
>             result->sn.sn_name[(int)(u_char)buf[RP_HOSTOFF]] =3D '\0';
>
>(off-by-one vuln).
>
>
>I've got no response from authors.
>
>
>--
>~/ZARAZA
>=CE=F1=EE=E1=F3=FE =EF=F0=EE=E1=EB=E5=EC=F3 =F1=EE=F1=F2=E0=E2=EB=FF=E5=F2=
 =E0=EB=EA=EE=E3=EE=EB=E8=E7=EC.  (=CB=E5=EC)

--------------------------------------------------------------------
Mike Tancsa,                          	          tel +1 519 651 3400
Sentex Communications,     			  mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada			  www.sentex.net/mike


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20020703114631.04f94d20>