[NT] Anon Proxy Server Buffer Overflow
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 13 Feb 2008 12:27:06 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Anon Proxy Server Buffer Overflow
------------------------------------------------------------------------
SUMMARY
<http://anonproxyserver.sourceforge.net> Anony Proxy Server is "a fast
http, https, socks caching proxy server. Easy web based configuration,
optional p2p anonymous mode". A vulnerability in Anon Proxy Server allows
remote attackers to cause it to crash by overflowing an internal buffer,
this can be also leveraged to cause the product to execute arbitrary code.
DETAILS
Vulnerable Systems:
* Anon Proxy Server version 0.102
Immune Systems:
* Anon Proxy Server version 0.103
When user authentication is enabled, the server can be exploited by
passing a long username containing quotes. The username is checked for
length, but the function strquotecpy() in the file access.c escapes quote
characters by per-pending a backslash, enlarging the string without
checking it for the resulting length.
Exploit:
Use the following perl code to generate a username triggering the buffer
overflow when used for authentication:
#!/usr/bin/perl
print "A" x 430 . '"' x 29 . "A" x 40 . "\n";
The program will catch the exception and restart itself - attach a
debugger to see the EIP overwrite.
ADDITIONAL INFORMATION
The information has been provided by <mailto:l4teral@xxxxxxxxx> L4teral.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] Apache mod_negotiation XSS and Http Response Splitting
- Next by Date: [UNIX] JSPWiki Multiple Vulnerabilities
- Previous by thread: [UNIX] Apache mod_negotiation XSS and Http Response Splitting
- Next by thread: [UNIX] JSPWiki Multiple Vulnerabilities
- Index(es):
Relevant Pages
|
