Foundstone, Inc. http://www.foundstone.com "Securing the Dot Com World" Security Advisory AnalogX Proxy DoS ---------------------------------------------------------------------- FS Advisory ID: FS-072500-7-ANA.txt Release Date: July 25, 2000 Product: Proxy Vendor: AnalogX (http://www.analogx.com) Vendor Advisory: New patched version 4.05 available Type: Denial of service through multiple buffer overflows. Severity: Low Author: Robin Keir (robin.keir@foundstone.com) Stuart McClure (stuart.mcclure@foundstone.com) Foundstone, Inc. (http://www.foundstone.com) Operating Systems: All Windows operating systems supported by Proxy Vulnerable versions: Proxy 4.04 (and possibly previous versions) Foundstone Advisory: http://www.foundstone.com/advisories.htm ---------------------------------------------------------------------- Description AnalogX Proxy is a simple but effective proxy server that has the ability to proxy requests for the following services: HTTP, HTTPS, SOCKS4, SOCKS4a, SOCKS5, NNTP, POP3, SMTP, FTP. Using commands of an appropriate length, many of the services exhibit unchecked buffers causing the proxy server to crash with an invalid page fault thus creating a denial of service. Normally this would only be a concern for users on the LAN side of the proxy, but by default Proxy is configured to bind to all interfaces on the host and so this would be exploitable remotely from over the Internet. Details Standard commands of an appropriate size issued to the FTP, SMTP, POP3 and SOCKS services cause page faults bringing the entire program to a halt. Proof of concept Sending an FTP "USER" command containing approximately 370 or more characters to the proxy server FTP TCP port 21 will crash it. Example #1: nc 192.168.1.2 21 < ftp.txt Where ftp.txt contains: "USER [long string of ~370 chars]@isp.com" Sending an SMTP "HELO" command containing approximately 370 or more characters to the proxy server SMTP TCP port 25 will crash it. Example #2: nc 192.168.1.2 21 < smtp.txt Where smtp.txt contains: "HELO [long string of ~370 chars]@isp.com" Sending a POP3 "USER" command containing approximately 370 or more characters to the proxy server POP3 TCP port 110 will crash it. Example #3: nc 192.168.1.2 21 < pop3.txt Where pop3.txt contains: "USER [long string of ~370 chars]@isp.com" Sending a SOCKS4 "CONNECT" request with an overly large user ID field of roughly 1800 characters or more to the proxy server SOCKS TCP port 1080 will crash it. Example #4: nc 192.168.1.2 1080 < socks.dat Where socks.dat contains binary data with a user ID field of approx. 1800 bytes. Solution Download Proxy 4.05 from http://www.analogx.com/contents/download/network/proxy.htm Prelimiary tests of the fix by Foundstone have confirmed the problem is corrected. Credits We would like to thank AnalogX for their prompt reaction to this problem and their co-operation in heightening security awareness in the security community. Disclaimer THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT (C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY.