From owner-freebsd-bugs@FreeBSD.ORG  Mon May 14 07:00:12 2007
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 3A57A16A400
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 14 May 2007 07:00:12 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
	by mx1.freebsd.org (Postfix) with ESMTP id 040B313C46C
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 14 May 2007 07:00:12 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l4E70Bpt002329
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 14 May 2007 07:00:11 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l4E70Br7002289;
	Mon, 14 May 2007 07:00:11 GMT (envelope-from gnats)
Resent-Date: Mon, 14 May 2007 07:00:11 GMT
Resent-Message-Id: <200705140700.l4E70Br7002289@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Raffaele De Lorenzo<raffaele.delorenzo@libero.it>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id C0A0416A413
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 14 May 2007 06:58:20 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id B18EC13C4AE
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 14 May 2007 06:58:20 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l4E6wKAP091797
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 14 May 2007 06:58:20 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l4E6rIT3090360;
	Mon, 14 May 2007 06:53:18 GMT (envelope-from nobody)
Message-Id: <200705140653.l4E6rIT3090360@www.freebsd.org>
Date: Mon, 14 May 2007 06:53:18 GMT
From: Raffaele De Lorenzo<raffaele.delorenzo@libero.it>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.0
Cc: 
Subject: misc/112649: Buffer Overflow in some SOCKS Server
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 May 2007 07:00:12 -0000


>Number:         112649
>Category:       misc
>Synopsis:       Buffer Overflow in some SOCKS Server
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 14 07:00:11 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Raffaele De Lorenzo
>Release:        FreeBSD Stable 6.2
>Organization:
>Environment:
FreeBSD Noel.localhost 6.2-STABLE-200702 FreeBSD 6.2-STABLE-200702 #0: Sun Feb  4 13:09:46 UTC 2007     root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
I have detected a buffer overflow in DANTE SOCKS Server and in NEC SOCKS5 Server, that could be used for some attack.
 
The issue has been seen during the "connect" phase of the socks4 protocol (and maybe also socks5...) in the tcp connection. Maybe this happends also in socks5.... 
According to the NEC RFC (socks4), socks4 packet, during the connect phase, has the size 9BYTE + X (where X is a variable for an optional username).
If you queue at the end of the packet some other bytes (i have queued more than 3 bytes), the server still accept the connection and continue the tcp negotiation, reusing the bytes appended. This can cause possible issues and allow malitious uses to run code in the server machine. This propblem is also presented in Linux OS...
>How-To-Repeat:

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: