[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : AnalogX Proxy DoS

Title: AnalogX Proxy DoS
Released by: Foundstone
Date: 25th July 2000
Printable version: Click here
                            Foundstone, Inc.

                        http://www.foundstone.com

                      "Securing the Dot Com World"



                           Security Advisory



                           AnalogX Proxy DoS



----------------------------------------------------------------------

FS Advisory ID:         FS-072500-7-ANA.txt



Release Date:           July 25, 2000



Product:                Proxy



Vendor:                 AnalogX (http://www.analogx.com)



Vendor Advisory:        New patched version 4.05 available



Type:                   Denial of service through multiple buffer

                        overflows.



Severity:               Low



Author:                 Robin Keir (robin.keir@foundstone.com)

                        Stuart McClure (stuart.mcclure@foundstone.com)

                        Foundstone, Inc. (http://www.foundstone.com)



Operating Systems:      All Windows operating systems supported by

                        Proxy



Vulnerable versions:    Proxy 4.04 (and possibly previous versions)



Foundstone Advisory:    http://www.foundstone.com/advisories.htm

----------------------------------------------------------------------



Description



        AnalogX Proxy is a simple but effective proxy server that has

        the ability to proxy requests for the following services:

        HTTP, HTTPS, SOCKS4, SOCKS4a, SOCKS5, NNTP, POP3, SMTP, FTP.



        Using commands of an appropriate length, many of the services

        exhibit unchecked buffers causing the proxy server to crash

        with an invalid page fault thus creating a denial of service.

        Normally this would only be a concern for users on the LAN

        side of the proxy, but by default Proxy is configured to bind

        to all interfaces on the host and so this would be exploitable

        remotely from over the Internet.



Details



        Standard commands of an appropriate size issued to the FTP,

        SMTP, POP3 and SOCKS services cause page faults bringing the

        entire program to a halt.



Proof of concept



        Sending an FTP "USER" command containing approximately 370 or

        more characters to the proxy server FTP TCP port 21 will crash

        it.



        Example #1: nc 192.168.1.2 21 < ftp.txt



        Where ftp.txt contains:

        "USER [long string of ~370 chars]@isp.com"



        Sending an SMTP "HELO" command containing approximately 370 or

        more characters to the proxy server SMTP TCP port 25 will

        crash it.



        Example #2: nc 192.168.1.2 21 < smtp.txt



        Where smtp.txt contains:

        "HELO [long string of ~370 chars]@isp.com"



        Sending a POP3 "USER" command containing approximately 370 or

        more characters to the proxy server POP3 TCP port 110 will

        crash it.



        Example #3: nc 192.168.1.2 21 < pop3.txt



        Where pop3.txt contains:

        "USER [long string of ~370 chars]@isp.com"



        Sending a SOCKS4 "CONNECT" request with an overly large user

        ID field of roughly 1800 characters or more to the proxy

        server SOCKS TCP port 1080 will crash it.



        Example #4: nc 192.168.1.2 1080 < socks.dat



        Where socks.dat contains binary data with a user ID field of

        approx. 1800 bytes.



Solution



        Download Proxy 4.05 from



        http://www.analogx.com/contents/download/network/proxy.htm



        Prelimiary tests of the fix by Foundstone have confirmed the

        problem is corrected.



Credits



        We would like to thank AnalogX for their prompt reaction to

        this problem and their co-operation in heightening security

        awareness in the security community.



Disclaimer



        THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT

        (C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT

        THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS

        GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.

        NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY

        WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONQUENTIAL LOSS OR

        DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED

        ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE

        REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE

        ADVISORY IS NOT MODIFIED IN ANY WAY.








(C) 1999-2000 All rights reserved.