| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 3 Feb 2008 20:09:41 +0100 From: L4teral <l4teral@...il.com> To: bugtraq@...urityfocus.com Subject: Anon Proxy Server <= 0.102 remote buffer overflow ====================================================================== Anon Proxy Server <= 0.102 remote buffer overflow ====================================================================== Author: L4teral <l4teral [4t] gmail com> Impact: remote buffer overflow Status: patch available ------------------------------ Affected software description: ------------------------------ Application: Anon Proxy Server Version: <= 0.102 Vendor: http://anonproxyserver.sourceforge.net Description: A fast http, https, socks caching proxy server. Easy web based configuration, optional p2p anonymous mode. -------------- Vulnerability: -------------- When user authentication is enabled, the server can be exploited by passing a long username containing quotes. The username is checked for length, but the function strquotecpy() in the file access.c escapes quote characters by prepending a backslash, enlarging the string without checking it for the resulting length. ------------ PoC/Exploit: ------------ Use the following perl code to generate a username triggering the buffer overflow when used for authentication: #!/usr/bin/perl print "A" x 430 . '"' x 29 . "A" x 40 . "\n"; The program will catch the exception and restart itself - attach a debugger to see the EIP overwrite. --------- Solution: --------- Upgrade to version 0.103 or higher. --------- Timeline: --------- 2008-01-27 - vendor informed 2008-01-28 - vendor released patch 2008-02-03 - public disclosure
Powered by blists - more mailing lists