FS-072500-7-ANA.txt

2000-07-25T00:00:00
ID PACKETSTORM:22637
Type packetstorm
Reporter Robin Keir
Modified 2000-07-25T00:00:00

Description

                                        
                                            ` Foundstone, Inc.  
http://www.foundstone.com  
"Securing the Dot Com World"  
  
Security Advisory  
  
AnalogX Proxy DoS  
  
----------------------------------------------------------------------  
FS Advisory ID: FS-072500-7-ANA.txt  
  
Release Date: July 25, 2000  
  
Product: Proxy  
  
Vendor: AnalogX (http://www.analogx.com)  
  
Vendor Advisory: New patched version 4.05 available  
  
Type: Denial of service through multiple buffer  
overflows.  
  
Severity: Low  
  
Author: Robin Keir (robin.keir@foundstone.com)  
Stuart McClure (stuart.mcclure@foundstone.com)  
Foundstone, Inc. (http://www.foundstone.com)  
  
Operating Systems: All Windows operating systems supported by  
Proxy  
  
Vulnerable versions: Proxy 4.04 (and possibly previous versions)  
  
Foundstone Advisory: http://www.foundstone.com/advisories.htm  
----------------------------------------------------------------------  
  
Description  
  
AnalogX Proxy is a simple but effective proxy server that has  
the ability to proxy requests for the following services:  
HTTP, HTTPS, SOCKS4, SOCKS4a, SOCKS5, NNTP, POP3, SMTP, FTP.  
  
Using commands of an appropriate length, many of the services  
exhibit unchecked buffers causing the proxy server to crash  
with an invalid page fault thus creating a denial of service.  
Normally this would only be a concern for users on the LAN  
side of the proxy, but by default Proxy is configured to bind  
to all interfaces on the host and so this would be exploitable  
remotely from over the Internet.  
  
Details  
  
Standard commands of an appropriate size issued to the FTP,  
SMTP, POP3 and SOCKS services cause page faults bringing the  
entire program to a halt.  
  
Proof of concept  
  
Sending an FTP "USER" command containing approximately 370 or  
more characters to the proxy server FTP TCP port 21 will crash  
it.  
  
Example #1: nc 192.168.1.2 21 < ftp.txt  
  
Where ftp.txt contains:  
"USER [long string of ~370 chars]@isp.com"  
  
Sending an SMTP "HELO" command containing approximately 370 or  
more characters to the proxy server SMTP TCP port 25 will  
crash it.  
  
Example #2: nc 192.168.1.2 21 < smtp.txt  
  
Where smtp.txt contains:  
"HELO [long string of ~370 chars]@isp.com"  
  
Sending a POP3 "USER" command containing approximately 370 or  
more characters to the proxy server POP3 TCP port 110 will  
crash it.  
  
Example #3: nc 192.168.1.2 21 < pop3.txt  
  
Where pop3.txt contains:  
"USER [long string of ~370 chars]@isp.com"  
  
Sending a SOCKS4 "CONNECT" request with an overly large user  
ID field of roughly 1800 characters or more to the proxy  
server SOCKS TCP port 1080 will crash it.  
  
Example #4: nc 192.168.1.2 1080 < socks.dat  
  
Where socks.dat contains binary data with a user ID field of  
approx. 1800 bytes.  
  
Solution  
  
Download Proxy 4.05 from  
  
http://www.analogx.com/contents/download/network/proxy.htm  
  
Prelimiary tests of the fix by Foundstone have confirmed the  
problem is corrected.  
  
Credits  
  
We would like to thank AnalogX for their prompt reaction to  
this problem and their co-operation in heightening security  
awareness in the security community.  
  
Disclaimer  
  
THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT  
(C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT  
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS  
GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.  
NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY  
WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONQUENTIAL LOSS OR  
DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED  
ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE  
REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE  
ADVISORY IS NOT MODIFIED IN ANY WAY.  
  
`