From owner-freebsd-security Wed Jul 3 8:44:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16DAE37B401 for ; Wed, 3 Jul 2002 08:44:44 -0700 (PDT) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 407E643E31 for ; Wed, 3 Jul 2002 08:44:43 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.5/8.12.4) with ESMTP id g63FiZmW023125 for ; Wed, 3 Jul 2002 11:44:36 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20020703114631.04f94d20@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 03 Jul 2002 11:48:07 -0400 To: security@freebsd.org From: Mike Tancsa Subject: Fwd: NEC's socks5 (Re: Foundstone Advisory - Buffer Overflow in AnalogX Proxy (fwd)) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: By Sentex Communications (obsidian/20020220) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anyone run the socks5 daemon below as a chrooted and non privileged=20 user ? It binds to 1080, is there any reason it needs to even run as root ? ---Mike >X-Virus-Scanned: By Sentex Communications (avscan2/20020220) > >Dear Dave Ahmad, > >Nearly same bugs exist in reference socks5 implementation by NEC. There >are few different overflows, all look not exploitable in socks5v1.0r11, >at least on majority of platforms due to specific data layout, but may >be exploitable in earlier versions or in derived software. Examples: > >1. in SOCKS5 User-Name parsing: > >proxy.c: > >static int GetString(S5IOHandle fd, char *buf, double *timerm) { > u_char len; > > buf[0] =3D '\0'; > if (S5IORecv(fd, NULL, (char *)&len, 1, 0, UPWD_IOFLAGS, timerm) !=3D= =20 > 1) return -1; > if (len =3D=3D 0) return 0; > > if (S5IORecv(fd, NULL, buf, len, 0, UPWD_IOFLAGS, timerm) !=3D len)=20 > return -1; > buf[len] =3D '\0'; > return len; >} > >problem is that target username buffer is 128 bytes. > >2. In SOCKS4 username parsing: > >proxy.c: > >static int HandleS4Connection(S5LinkInfo *pri, S5IOInfo *iio, list *auths,= =20 >double *timerm) { >... > char buf[256+256+8], >... > > for (tmp =3D buf, *tmp =3D '\0'; tmp < buf+sizeof(buf)-1; *++tmp =3D= '\0') { > if (S5IORecv(iio->fd, iio, tmp, 1, 0, PROXY_IOFLAGS, timerm) !=3D= 1) { > S5LogUpdate(S5LogDefaultHandle, S5_LOG_DEBUG(0), 0, "Socks4:= =20 > Read failed: %m"); > return EXIT_ERR; > } > > if (*tmp =3D=3D '\0') break; > } > > S5LogUpdate(S5LogDefaultHandle, S5_LOG_DEBUG(10), 0, "Socks4: Read=20 > user: %s", buf); > > strcpy(pri->srcUser, buf); > >pri->srcUser is 128 bytes... > >3. in reading hostname > >struct sockaddr_name { > unsigned short sn_family; > unsigned short sn_port; > char sn_name[255]; >}; > > >protocol.c: > memcpy(result->sn.sn_name, buf+RP_HOSTOFF+1,=20 > (u_char)buf[RP_HOSTOFF]); > memcpy(&result->sn.sn_port, buf+RP_HOSTOFF+1+buf[RP_HOSTOFF],= =20 > sizeof(u_short)); > result->sn.sn_name[(int)(u_char)buf[RP_HOSTOFF]] =3D '\0'; > >(off-by-one vuln). > > >I've got no response from authors. > > >-- >~/ZARAZA >=CE=F1=EE=E1=F3=FE =EF=F0=EE=E1=EB=E5=EC=F3 =F1=EE=F1=F2=E0=E2=EB=FF=E5=F2= =E0=EB=EA=EE=E3=EE=EB=E8=E7=EC. (=CB=E5=EC) -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message