Buffer Overflow in AnalogX Proxy and NEC Socks5

Discussion in 'other security issues & news' started by Paul Wilders, Jul 19, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Details
    Vulnerable systems:
    * AnalogX Proxy v4.07 and previous version
    * NEC Socks5 version 1.0r11

    Web Proxy Overflow
    Sending a HTTP proxy request to the target system on TCP port 6588 consisting of a single space character followed by 320 or more non-space characters followed by 2 carriage-return linefeeds causes a read access violation in the application. Manually dismissing the application error message box that is displayed on the affected system at this point will terminate the process. If the message box is not manually dismissed then repeated sending of the request causes repeated access violation message boxes to appear on the affected system up to the point where the service no longer responds.

    Different number of bytes sent cause different error conditions to occur, such as write access violations and Watcom memory error dialogs to appear.

    Socks4a Buffer Overflow
    Sending a Sock4a request to the target system on TCP port 1080 consisting of a hostname section of 140 or more characters will cause a write access violation application error. Manually dismissing the application error message box that is displayed on the affected system at this point will terminate the process. If the message box is not manually dismissed then repeated sending of the request causes repeated access violation message boxes to appear on the affected system up to the point where the service no longer responds.

    An example TCP packet to send is
    deleted - Forum Admin

    Where the '\xXX' characters signify their corresponding HEX binary values and the '#' is substituted with the DNS name of 140 or more characters.

    Note:
    A similar problem affects NEC's Socks5 implementation.

    Solution:
    Refer to the vendor's web site for further details: www.analogx.com

    ----

    source: securiteam
     
Loading...
Thread Status:
Not open for further replies.