OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dave Ahmad (dasecurityfocus.com)
Date: Mon Jul 01 2002 - 16:54:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Dave Ahmad
    SecurityFocus
    www.securityfocus.com

    ---------- Forwarded message ----------
    Return-Path: <labsfoundstone.com>
    Delivered-To: dasecurityfocus.com
    Received: (qmail 13630 invoked from network); 1 Jul 2002 21:32:14 -0000
    Received: from unknown (HELO mission.foundstone.com) (66.192.0.2)
      by mail.securityfocus.com with SMTP; 1 Jul 2002 21:32:14 -0000
    X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3
    content-class: urn:content-classes:message
    MIME-Version: 1.0
    Content-Type: text/plain;
            charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable
    Subject: Foundstone Advisory - Buffer Overflow in AnalogX Proxy
    Date: Mon, 1 Jul 2002 14:37:44 -0700
    Message-ID: <9DC8A3D37E31E043BD516142594BDDFAC47577MISSION.foundstone.com>
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator:
    Thread-Topic: Foundstone Advisory - Buffer Overflow in AnalogX Proxy
    Thread-Index: AcIhR4n3TkCXBJz4TAqNDSFSrIolUg==
    From: "Foundstone Labs" <labsfoundstone.com>
    To: <dasecurityfocus.com>

    ----------------------------------------------------------------------
    FS Advisory ID: FS-070102-23-AXPR

    Release Date: July 1st, 2002

    Product: AnalogX Proxy

    Vendor: AnalogX (http://www.analogx.com)

    Vendor Advisory: See vendor web site

    Type: Buffer Overflow

    Severity: High

    Author: Robin Keir (robin.keirfoundstone.com)
                                    Foundstone, Inc.
                                    (http://www.foundstone.com)

    Operating Systems: Windows variants

    Vulnerable versions: Proxy v4.07 and previous

    Foundstone Advisory: http://www.foundstone.com/advisories.htm
    ---------------------------------------------------------------------

    Description

    A buffer overflow exists in AnalogX's Proxy software.
    Exploitation of this vulnerability allows remote execution of
    arbitrary code with the privileges of the Proxy daemon.

    Details

    Web Proxy overflow

    Sending a HTTP proxy request to the target system on TCP port 6588
    consisting of a single space character followed by 320 or more
    non-space characters followed by 2 carriage-return linefeeds causes
    a read access violation in the application. Manually dismissing the
    application error message box that is displayed on the affected system
    at this point will terminate the process. If the message box is not
    manually dismissed then repeated sending of the request causes repeated
    access violation message boxes to appear on the affected system up to
    the point where the service no longer responds.

    Different number of bytes sent cause different error conditions
    to occur, such as write access violations and Watcom memory
    error dialogs to appear.

    Socks4a buffer overflow.

    Sending a Sock4a request to the target system on TCP port 1080
    consisting
    of a hostname section of 140 or more characters will cause a write
    access
    violation application error. Manually dismissing the application error
    message box that is displayed on the affected system at this point will
    terminate the process. If the message box is not manually dismissed then

    repeated sending of the request causes repeated access violation message

    boxes to appear on the affected system up to the point where the service

    no longer responds.

    An example TCP packet to send is

    \x04\x01\x04\x38\x00\x00\x00abcd\x00#\x00

    where the '\xXX' characters signify their corresponding HEX binary
    values and
    the '#' is substituted with the DNS name of 140 or more characters.

    Solution:

    Refer to the vendor's web site for further details:
    http://www.analogx.com

    Credits:

    Foundstone would like to thank AnalogX for their prompt
    response and handling of this problem.

    Disclaimer:

    The information contained in this advisory is copyright (c) 2002
    Foundstone, Inc. and is believed to be accurate at the time of
    publishing, but no representation of any warranty is given,
    express, or implied as to its accuracy or completeness. In no
    event shall the author or Foundstone be liable for any direct,
    indirect, incidental, special, exemplary or consequential
    damages resulting from the use or misuse of this information.
    This advisory may be redistributed, provided that no fee is
    assigned and that the advisory is not modified in any way.