Date: Wed, 03 Jul 2002 11:48:07 -0400 From: Mike Tancsa <mike@sentex.net> To: security@freebsd.org Subject: Fwd: NEC's socks5 (Re: Foundstone Advisory - Buffer Overflow in AnalogX Proxy (fwd)) Message-ID: <5.1.0.14.0.20020703114631.04f94d20@marble.sentex.ca>
next in thread | raw e-mail | index | archive | help
Has anyone run the socks5 daemon below as a chrooted and non privileged=20 user ? It binds to 1080, is there any reason it needs to even run as root ? ---Mike >X-Virus-Scanned: By Sentex Communications (avscan2/20020220) > >Dear Dave Ahmad, > >Nearly same bugs exist in reference socks5 implementation by NEC. There >are few different overflows, all look not exploitable in socks5v1.0r11, >at least on majority of platforms due to specific data layout, but may >be exploitable in earlier versions or in derived software. Examples: > >1. in SOCKS5 User-Name parsing: > >proxy.c: > >static int GetString(S5IOHandle fd, char *buf, double *timerm) { > u_char len; > > buf[0] =3D '\0'; > if (S5IORecv(fd, NULL, (char *)&len, 1, 0, UPWD_IOFLAGS, timerm) !=3D= =20 > 1) return -1; > if (len =3D=3D 0) return 0; > > if (S5IORecv(fd, NULL, buf, len, 0, UPWD_IOFLAGS, timerm) !=3D len)=20 > return -1; > buf[len] =3D '\0'; > return len; >} > >problem is that target username buffer is 128 bytes. > >2. In SOCKS4 username parsing: > >proxy.c: > >static int HandleS4Connection(S5LinkInfo *pri, S5IOInfo *iio, list *auths,= =20 >double *timerm) { >... > char buf[256+256+8], >... > > for (tmp =3D buf, *tmp =3D '\0'; tmp < buf+sizeof(buf)-1; *++tmp =3D= '\0') { > if (S5IORecv(iio->fd, iio, tmp, 1, 0, PROXY_IOFLAGS, timerm) !=3D= 1) { > S5LogUpdate(S5LogDefaultHandle, S5_LOG_DEBUG(0), 0, "Socks4:= =20 > Read failed: %m"); > return EXIT_ERR; > } > > if (*tmp =3D=3D '\0') break; > } > > S5LogUpdate(S5LogDefaultHandle, S5_LOG_DEBUG(10), 0, "Socks4: Read=20 > user: %s", buf); > > strcpy(pri->srcUser, buf); > >pri->srcUser is 128 bytes... > >3. in reading hostname > >struct sockaddr_name { > unsigned short sn_family; > unsigned short sn_port; > char sn_name[255]; >}; > > >protocol.c: > memcpy(result->sn.sn_name, buf+RP_HOSTOFF+1,=20 > (u_char)buf[RP_HOSTOFF]); > memcpy(&result->sn.sn_port, buf+RP_HOSTOFF+1+buf[RP_HOSTOFF],= =20 > sizeof(u_short)); > result->sn.sn_name[(int)(u_char)buf[RP_HOSTOFF]] =3D '\0'; > >(off-by-one vuln). > > >I've got no response from authors. > > >-- >~/ZARAZA >=CE=F1=EE=E1=F3=FE =EF=F0=EE=E1=EB=E5=EC=F3 =F1=EE=F1=F2=E0=E2=EB=FF=E5=F2= =E0=EB=EA=EE=E3=EE=EB=E8=E7=EC. (=CB=E5=EC) -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20020703114631.04f94d20>