Anon Proxy Server <= 0.102 remote buffer overflow
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Anon Proxy Server <= 0.102 remote buffer overflow
- From: L4teral <l4teral@xxxxxxxxx>
- Date: Sun, 3 Feb 2008 20:09:41 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=tG1DmKVyzyZiq+TTxQR6m4FALDKVKOg0UNzsvQjbvx4=; b=J9hCoSaD9NyHDVYRa1Aan8XjMBKa91dg7A/a8iW5xZtBk5ksE1qRZkoBKQWoFVzTToBl/gDDaKYySJ0Bp8edHXyojs2zJqtLWD7pFS3NVjf8iUBUiUnnn4vzsLiIO3ERvxt93QrcSLkCouD2UHQCdgK1mJjaMiln9Pcfp0vei1E=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=bJnpI6lEqWRApkwmDgMoa/gmwiLEOYgtlYA6vdbguZ4A+zOD8xBvLKJi3pWQK2ECno1SjibnV3gTgcDKCmpIehuJiFKzhzoNIueGPeoCHcBsvDfuOf6O2Ie1OmfMWJPsGzvUfg1c2kO3Xhdm0dZJ0sB4+VeaORLH59z2NnI1kxE=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
======================================================================
Anon Proxy Server <= 0.102 remote buffer overflow
======================================================================
Author: L4teral <l4teral [4t] gmail com>
Impact: remote buffer overflow
Status: patch available
------------------------------
Affected software description:
------------------------------
Application: Anon Proxy Server
Version: <= 0.102
Vendor: http://anonproxyserver.sourceforge.net
Description:
A fast http, https, socks caching proxy server.
Easy web based configuration, optional p2p anonymous mode.
--------------
Vulnerability:
--------------
When user authentication is enabled, the server can be exploited by
passing a long username containing quotes. The username is checked
for length, but the function strquotecpy() in the file access.c
escapes quote characters by prepending a backslash, enlarging
the string without checking it for the resulting length.
------------
PoC/Exploit:
------------
Use the following perl code to generate a username triggering
the buffer overflow when used for authentication:
#!/usr/bin/perl
print "A" x 430 . '"' x 29 . "A" x 40 . "\n";
The program will catch the exception and restart itself - attach a
debugger to see the EIP overwrite.
---------
Solution:
---------
Upgrade to version 0.103 or higher.
---------
Timeline:
---------
2008-01-27 - vendor informed
2008-01-28 - vendor released patch
2008-02-03 - public disclosure