misc/112649: Buffer Overflow in some SOCKS Server
Raffaele De Lorenzo
raffaele.delorenzo at libero.it
Mon May 14 07:00:12 UTC 2007
>Number: 112649
>Category: misc
>Synopsis: Buffer Overflow in some SOCKS Server
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon May 14 07:00:11 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Raffaele De Lorenzo
>Release: FreeBSD Stable 6.2
>Organization:
>Environment:
FreeBSD Noel.localhost 6.2-STABLE-200702 FreeBSD 6.2-STABLE-200702 #0: Sun Feb 4 13:09:46 UTC 2007 root at dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
I have detected a buffer overflow in DANTE SOCKS Server and in NEC SOCKS5 Server, that could be used for some attack.
The issue has been seen during the "connect" phase of the socks4 protocol (and maybe also socks5...) in the tcp connection. Maybe this happends also in socks5....
According to the NEC RFC (socks4), socks4 packet, during the connect phase, has the size 9BYTE + X (where X is a variable for an optional username).
If you queue at the end of the packet some other bytes (i have queued more than 3 bytes), the server still accept the connection and continue the tcp negotiation, reusing the bytes appended. This can cause possible issues and allow malitious uses to run code in the server machine. This propblem is also presented in Linux OS...
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list