Home page logo
/

bugtraq logo Bugtraq mailing list archives

Foundstone Advisory - Buffer Overflow in AnalogX Proxy (fwd)
From: Dave Ahmad <da () securityfocus com>
Date: Mon, 1 Jul 2002 15:54:55 -0600 (MDT)



Dave Ahmad
SecurityFocus
www.securityfocus.com

---------- Forwarded message ----------
Return-Path: <labs () foundstone com>
Delivered-To: da () securityfocus com
Received: (qmail 13630 invoked from network); 1 Jul 2002 21:32:14 -0000
Received: from unknown (HELO mission.foundstone.com) (66.192.0.2)
  by mail.securityfocus.com with SMTP; 1 Jul 2002 21:32:14 -0000
X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: Foundstone Advisory - Buffer Overflow in AnalogX Proxy
Date: Mon, 1 Jul 2002 14:37:44 -0700
Message-ID: <9DC8A3D37E31E043BD516142594BDDFAC47577 () MISSION foundstone com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Foundstone Advisory - Buffer Overflow in AnalogX Proxy
Thread-Index: AcIhR4n3TkCXBJz4TAqNDSFSrIolUg==
From: "Foundstone Labs" <labs () foundstone com>
To: <da () securityfocus com>

----------------------------------------------------------------------
FS Advisory ID:                 FS-070102-23-AXPR

Release Date:                   July 1st, 2002

Product:                        AnalogX Proxy

Vendor:                         AnalogX (http://www.analogx.com)

Vendor Advisory:                See vendor web site

Type:                           Buffer Overflow

Severity:                       High

Author:                         Robin Keir (robin.keir () foundstone com)
                                Foundstone, Inc.
                                (http://www.foundstone.com)

Operating Systems:              Windows variants

Vulnerable versions:            Proxy v4.07 and previous

Foundstone Advisory:            http://www.foundstone.com/advisories.htm
---------------------------------------------------------------------

Description

A buffer overflow exists in AnalogX's Proxy software.
Exploitation of this vulnerability allows remote execution of
arbitrary code with the privileges of the Proxy daemon.

Details

Web Proxy overflow

Sending a HTTP proxy request to the target system on TCP port 6588
consisting of a single space character followed by 320 or more
non-space characters followed by 2 carriage-return linefeeds causes
a read access violation in the application. Manually dismissing the
application error message box that is displayed on the affected system
at this point will terminate the process. If the message box is not
manually dismissed then repeated sending of the request causes repeated
access violation message boxes to appear on the affected system up to
the point where the service no longer responds.

Different number of bytes sent cause different error conditions
to occur, such as write access violations and Watcom memory
error dialogs to appear.

Socks4a buffer overflow.

Sending a Sock4a request to the target system on TCP port 1080
consisting
of a hostname section of 140 or more characters will cause a write
access
violation application error. Manually dismissing the application error
message box that is displayed on the affected system at this point will
terminate the process. If the message box is not manually dismissed then

repeated sending of the request causes repeated access violation message

boxes to appear on the affected system up to the point where the service

no longer responds.

An example TCP packet to send is

\x04\x01\x04\x38\x00\x00\x00abcd\x00#\x00

where the '\xXX' characters signify their corresponding HEX binary
values and
the '#' is substituted with the DNS name of 140 or more characters.

Solution:

Refer to the vendor's web site for further details:
http://www.analogx.com

Credits:

Foundstone would like to thank AnalogX for their prompt
response and handling of this problem.


Disclaimer:

The information contained in this advisory is copyright (c) 2002
Foundstone, Inc. and is believed to be accurate at the time of
publishing, but no representation of any warranty is given,
express, or implied as to its accuracy or completeness. In no
event shall the author or Foundstone be liable for any direct,
indirect, incidental, special, exemplary or consequential
damages resulting from the use or misuse of this information.
This advisory may be redistributed, provided that no fee is
assigned and that the advisory is not modified in any way.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault