[15953] in bugtraq
AnalogX Proxy DoS
daemon@ATHENA.MIT.EDU (labs@FOUNDSTONE.COM)
Tue Jul 25 16:09:45 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <2153DBA073F0D311911100B0D01A826F16CC14@206-135-57-166.gw.eni.net>
Date: Mon, 24 Jul 2000 20:02:22 -0700
Reply-To: labs@FOUNDSTONE.COM
From: labs@FOUNDSTONE.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Foundstone, Inc.
http://www.foundstone.com
"Securing the Dot Com World"
Security Advisory
AnalogX Proxy DoS
----------------------------------------------------------------------
FS Advisory ID: FS-072500-7-ANA.txt
Release Date: July 25, 2000
Product: Proxy
Vendor: AnalogX (http://www.analogx.com)
Vendor Advisory: New patched version 4.05 available
Type: Denial of service through multiple buffer
overflows.
Severity: Low
Author: Robin Keir (robin.keir@foundstone.com)
Stuart McClure (stuart.mcclure@foundstone.com)
Foundstone, Inc. (http://www.foundstone.com)
Operating Systems: All Windows operating systems supported by
Proxy
Vulnerable versions: Proxy 4.04 (and possibly previous versions)
Foundstone Advisory: http://www.foundstone.com/advisories.htm
----------------------------------------------------------------------
Description
AnalogX Proxy is a simple but effective proxy server that has
the ability to proxy requests for the following services:
HTTP, HTTPS, SOCKS4, SOCKS4a, SOCKS5, NNTP, POP3, SMTP, FTP.
Using commands of an appropriate length, many of the services
exhibit unchecked buffers causing the proxy server to crash
with an invalid page fault thus creating a denial of service.
Normally this would only be a concern for users on the LAN
side of the proxy, but by default Proxy is configured to bind
to all interfaces on the host and so this would be exploitable
remotely from over the Internet.
Details
Standard commands of an appropriate size issued to the FTP,
SMTP, POP3 and SOCKS services cause page faults bringing the
entire program to a halt.
Proof of concept
Sending an FTP "USER" command containing approximately 370 or
more characters to the proxy server FTP TCP port 21 will crash
it.
Example #1: nc 192.168.1.2 21 < ftp.txt
Where ftp.txt contains:
"USER [long string of ~370 chars]@isp.com"
Sending an SMTP "HELO" command containing approximately 370 or
more characters to the proxy server SMTP TCP port 25 will
crash it.
Example #2: nc 192.168.1.2 21 < smtp.txt
Where smtp.txt contains:
"HELO [long string of ~370 chars]@isp.com"
Sending a POP3 "USER" command containing approximately 370 or
more characters to the proxy server POP3 TCP port 110 will
crash it.
Example #3: nc 192.168.1.2 21 < pop3.txt
Where pop3.txt contains:
"USER [long string of ~370 chars]@isp.com"
Sending a SOCKS4 "CONNECT" request with an overly large user
ID field of roughly 1800 characters or more to the proxy
server SOCKS TCP port 1080 will crash it.
Example #4: nc 192.168.1.2 1080 < socks.dat
Where socks.dat contains binary data with a user ID field of
approx. 1800 bytes.
Solution
Download Proxy 4.05 from
http://www.analogx.com/contents/download/network/proxy.htm
Prelimiary tests of the fix by Foundstone have confirmed the
problem is corrected.
Credits
We would like to thank AnalogX for their prompt reaction to
this problem and their co-operation in heightening security
awareness in the security community.
Disclaimer
THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT
(C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS
GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.
NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY
WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONQUENTIAL LOSS OR
DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED
ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE
REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.
