Anon Proxy Server <= 0.102 remote buffer overflow

2008.02.06
Credit: L4teral
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

====================================================================== Anon Proxy Server <= 0.102 remote buffer overflow ====================================================================== Author: L4teral <l4teral [4t] gmail com> Impact: remote buffer overflow Status: patch available ------------------------------ Affected software description: ------------------------------ Application: Anon Proxy Server Version: <= 0.102 Vendor: http://anonproxyserver.sourceforge.net Description: A fast http, https, socks caching proxy server. Easy web based configuration, optional p2p anonymous mode. -------------- Vulnerability: -------------- When user authentication is enabled, the server can be exploited by passing a long username containing quotes. The username is checked for length, but the function strquotecpy() in the file access.c escapes quote characters by prepending a backslash, enlarging the string without checking it for the resulting length. ------------ PoC/Exploit: ------------ Use the following perl code to generate a username triggering the buffer overflow when used for authentication: #!/usr/bin/perl print "A" x 430 . '"' x 29 . "A" x 40 . "\n"; The program will catch the exception and restart itself - attach a debugger to see the EIP overwrite. --------- Solution: --------- Upgrade to version 0.103 or higher. --------- Timeline: --------- 2008-01-27 - vendor informed 2008-01-28 - vendor released patch 2008-02-03 - public disclosure


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top