lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <471E1591.7000103@gmail.com>
Date: Tue, 23 Oct 2007 23:38:57 +0800
From: "xiaojunli.air" <xiaojunli.air@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: 3proxy double free vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

3proxy double free vulnerability
[Security Advisory]

Advisory: [AD_LAB-07006] 3proxy double free vulnerability
Class: Design Error
DATE:10/22/2007
CVEID:CVE-2007-5622
Vulnerable:
	3proxy <=0.5.3i
Vendor:
	http://www.3proxy.ru/

I.Synopsis

A vulnerability has been discovered in 3proxy.

II.DETAILS:
- ----------
Background

3proxy is a multi-protocol proxy, including HTTP/HTTPS/FTP and SOCKS
support.

Description

	There is a double free vulnerability in function ftpprchild().
...
if (!strncasecmp((char *)buf, "OPEN ", 5)){
	if(param->hostname) myfree(param->hostname); <--first free
	if(parsehostname((char *)buf+5, param, 21)){RETURN(803);}

the parsehostname will free param->hostname again.
int parsehostname(char *hostname, struct clientparam *param, unsigned
short port){
		char *sp;
	
		if(!hostname || !*hostname)return 1;
		if ( (sp = strchr(hostname, ':')) ) *sp = 0;
		if(param->hostname) myfree(param->hostname); <-- double free


Impact
	A remote attacker can cause instability and potentially crash a service by
issuing "OPEN" command for FTP proxy more than once.

Resolution
==========
New version can be downloaded from

http://3proxy.ru/download/

III.CREDIT:
- ----------
    Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab
guys.

V.DISCLAIMS:
- -----------

The information in this bulletin is provided "AS IS" without warranty of
any
kind. In no event shall we be liable for any damages whatsoever
including direct,
indirect, incidental, consequential, loss of business profits or special
damages.

Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use.

VENUSTECH Security Lab
VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn)

Security
Trusted {Solution} Provider
Service
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHHhVrFVSdIDJXOo0RAsphAJ4zHLat+GcjOtwcz5C0gFA1Mc8zEQCdFG1g
pCTMq/tnk2Lkc+AGQq7gm0U=
=Zi/2
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ