First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 196772
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: xiaojunli <xiaojunli.air@gmail.com>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 196772 depends on: Show dependency tree
Show dependency graph
Bug 196772 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-10-23 07:47 0000 
Advisory: [AD_LAB-07006] 3proxy double free vulnerability

Class: Design Error

DATE:10/22/2007

CVEID:CVE-2007-5622 

Vulnerable:

        3proxy <=0.5.3i
Vendor:

        http://www.3proxy.ru/



I.Synopsis

A vulnerability has been discovered in 3proxy allowing for the remote execution
of arbitrary code. 

II.DETAILS:

----------

Background

3proxy is a multi-protocol proxy, including HTTP/HTTPS/FTP and SOCKS support.

Description

        There is a double free vulnerability in function ftpprchild().
...
if (!strncasecmp((char *)buf, "OPEN ", 5)){
        if(param->hostname) myfree(param->hostname); <--first free
        if(parsehostname((char *)buf+5, param, 21)){RETURN(803);} 

the parsehostname will free param->hostname again.
int parsehostname(char *hostname, struct clientparam *param, unsigned short
port){
                char *sp;

                if(!hostname || !*hostname)return 1;
                if ( (sp = strchr(hostname, ':')) ) *sp = 0;
                if(param->hostname) myfree(param->hostname); <-- double free


Impact

A remote attacker could send a specially crafted transparent request to the
proxy, resulting in the execution of arbitrary code with privileges of the user
running 3proxy. 

III.CREDIT: 

----------

    Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab guys.



V.DISCLAIMS:

-----------



The information in this bulletin is provided "AS IS" without warranty of any

kind. In no event shall we be liable for any damages whatsoever including
direct,

indirect, incidental, consequential, loss of business profits or special
damages. 



Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use.



VENUSTECH Security Lab 

VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn)



Security

Trusted {Solution} Provider

Service

Reproducible: Always

Steps to Reproduce:
1.run the 3proxy-ftpr
2.nc to the 3proxy ftp proxy port(21)
3.type double OPEN x.x.x.x under nc.
4.the x.x.x.x should be connectable.

------- Comment #1 From Alin Năstac 2007-10-23 13:43:51 0000 ------- 
net-proxy/3proxy-0.5.3j is now in the tree. 
Arches should take it from here.

------- Comment #2 From Tobias Heinlein 2007-10-23 17:33:05 0000 ------- 
*** Bug 196811 has been marked as a duplicate of this bug. ***

------- Comment #3 From Tobias Heinlein 2007-10-23 17:38:10 0000 ------- 
Thanks. Arches, please mark stable net-proxy/3proxy-0.5.3j. Targets are: "amd64
ppc x86"

------- Comment #4 From Christian Faulhammer 2007-10-24 14:16:33 0000 ------- 
x86 stable

------- Comment #5 From Tobias Scherbaum 2007-10-24 17:38:35 0000 ------- 
ppc stable

------- Comment #6 From Angelo Arrifano (AMD64 AT) 2007-11-02 23:06:30 0000 ------- 
net-proxy/3proxy-0.5.3j

* Emerges on AMD64.
* Tested: socks, tcppm, udppm, proxy, ftppr

IMHO It would be nice to have a default config in /etc and a init.d script.

- -
Portage 2.1.3.16 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0,
2.6.22-gentoo-r9 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r9 x86_64 AMD Turion(tm) 64 X2 Mobile Technology
TL-56
Timestamp of tree: Wed, 31 Oct 2007 22:30:01 +0000
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -Os -msse3 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf
/etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo
/etc/udev/rules.d"
CXXFLAGS="-march=k8 -Os -msse3 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks metadata-transfer multilib-strict
parallel-fetch sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://www.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X a52 aac acpi alsa amd64 amr bash-completion berkdb
bitmap-fonts branding bzip2 cairo cli cracklib crypt cups dbus divx dvd dvdr
emerald ffmpeg firefox flac fortran gd gdbm gif glade glib glitz gtk gtkspell
hal iconv insecure-savers isdnlog javascript jpeg jpeg2k kqemu libnotify midi
mmx mmxext mp2 mp3 mpeg mplayer mudflap musicbrainz mysql ncurses nls nptl
nptlonly offensive ogg opengl openmp pam pcre png pppd python readline
reflection samba sdl session smp spell spl sse sse2 ssl stream svg syslog
taglib tcpd threads truetype truetype-fonts type1 type1-fonts unicode v4l v4l2
vhosts vim-syntax vorbis xcomposite xorg xosd xpm xscreensaver xvid zlib"
ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x
ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3
trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw
asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa
lfloat linear meter mulaw multi null plug rate route share shm softvol"
ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev synaptics" KERNEL="linux"
LCD_DEVICES="xosd" USERLAND="GNU" VIDEO_CARDS="nv nvidia none"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL,
LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,
PORTAGE_RSYNC_EXTRA_OPTS

------- Comment #7 From Alin Năstac 2007-11-03 08:43:40 0000 ------- 
(In reply to comment #6)
> IMHO It would be nice to have a default config in /etc and a init.d script.

IMO installing a init script for every proxy will clutter the init.d directory.
Most probably the user wants only one or two programs anyway.

------- Comment #8 From Christoph Mende 2007-11-04 14:14:50 0000 ------- 
amd64 stable

------- Comment #9 From Pierre-Yves Rofes 2007-11-08 20:52:26 0000 ------- 
GLSA 200711-13
First Last Prev Next    No search results available      Search page      Enter new bug