OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: AnalogX Proxy DoS
From: labsFOUNDSTONE.COM
Date: Mon Jul 24 2000 - 22:02:22 CDT


                            Foundstone, Inc.
                        http://www.foundstone.com
                      "Securing the Dot Com World"

                           Security Advisory

                           AnalogX Proxy DoS

----------------------------------------------------------------------
FS Advisory ID: FS-072500-7-ANA.txt

Release Date: July 25, 2000

Product: Proxy

Vendor: AnalogX (http://www.analogx.com)

Vendor Advisory: New patched version 4.05 available

Type: Denial of service through multiple buffer
                        overflows.

Severity: Low

Author: Robin Keir (robin.keirfoundstone.com)
                        Stuart McClure (stuart.mcclurefoundstone.com)
                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems: All Windows operating systems supported by
                        Proxy

Vulnerable versions: Proxy 4.04 (and possibly previous versions)

Foundstone Advisory: http://www.foundstone.com/advisories.htm
----------------------------------------------------------------------

Description

        AnalogX Proxy is a simple but effective proxy server that has
        the ability to proxy requests for the following services:
        HTTP, HTTPS, SOCKS4, SOCKS4a, SOCKS5, NNTP, POP3, SMTP, FTP.

        Using commands of an appropriate length, many of the services
        exhibit unchecked buffers causing the proxy server to crash
        with an invalid page fault thus creating a denial of service.
        Normally this would only be a concern for users on the LAN
        side of the proxy, but by default Proxy is configured to bind
        to all interfaces on the host and so this would be exploitable
        remotely from over the Internet.

Details

        Standard commands of an appropriate size issued to the FTP,
        SMTP, POP3 and SOCKS services cause page faults bringing the
        entire program to a halt.

Proof of concept

        Sending an FTP "USER" command containing approximately 370 or
        more characters to the proxy server FTP TCP port 21 will crash
        it.

        Example #1: nc 192.168.1.2 21 < ftp.txt

        Where ftp.txt contains:
        "USER [long string of ~370 chars]isp.com"

        Sending an SMTP "HELO" command containing approximately 370 or
        more characters to the proxy server SMTP TCP port 25 will
        crash it.

        Example #2: nc 192.168.1.2 21 < smtp.txt

        Where smtp.txt contains:
        "HELO [long string of ~370 chars]isp.com"

        Sending a POP3 "USER" command containing approximately 370 or
        more characters to the proxy server POP3 TCP port 110 will
        crash it.

        Example #3: nc 192.168.1.2 21 < pop3.txt

        Where pop3.txt contains:
        "USER [long string of ~370 chars]isp.com"

        Sending a SOCKS4 "CONNECT" request with an overly large user
        ID field of roughly 1800 characters or more to the proxy
        server SOCKS TCP port 1080 will crash it.

        Example #4: nc 192.168.1.2 1080 < socks.dat

        Where socks.dat contains binary data with a user ID field of
        approx. 1800 bytes.

Solution

        Download Proxy 4.05 from

        http://www.analogx.com/contents/download/network/proxy.htm

        Prelimiary tests of the fix by Foundstone have confirmed the
        problem is corrected.

Credits

        We would like to thank AnalogX for their prompt reaction to
        this problem and their co-operation in heightening security
        awareness in the security community.

Disclaimer

        THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT
        (C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT
        THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS
        GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.
        NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY
        WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONQUENTIAL LOSS OR
        DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED
        ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE
        REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE
        ADVISORY IS NOT MODIFIED IN ANY WAY.