196772 2007-10-23 07:47 0000 net-proxy/3proxy <0.5.3j Double free vulnerability (CVE-2007-5622) 2007-11-08 20:52:26 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/27353/ B1 [glsa] P2 major --- 1 xiaojunli.air@gmail.com security@gentoo.org keytoaster@gentoo.org net-proxy@gentoo.org xiaojunli.air@gmail.com 2007-10-23 07:47:00 0000 Advisory: [AD_LAB-07006] 3proxy double free vulnerability Class: Design Error DATE:10/22/2007 CVEID:CVE-2007-5622 Vulnerable: 3proxy <=0.5.3i Vendor: http://www.3proxy.ru/ I.Synopsis A vulnerability has been discovered in 3proxy allowing for the remote execution of arbitrary code. II.DETAILS: ---------- Background 3proxy is a multi-protocol proxy, including HTTP/HTTPS/FTP and SOCKS support. Description There is a double free vulnerability in function ftpprchild(). ... if (!strncasecmp((char *)buf, "OPEN ", 5)){ if(param->hostname) myfree(param->hostname); <--first free if(parsehostname((char *)buf+5, param, 21)){RETURN(803);} the parsehostname will free param->hostname again. int parsehostname(char *hostname, struct clientparam *param, unsigned short port){ char *sp; if(!hostname || !*hostname)return 1; if ( (sp = strchr(hostname, ':')) ) *sp = 0; if(param->hostname) myfree(param->hostname); <-- double free Impact A remote attacker could send a specially crafted transparent request to the proxy, resulting in the execution of arbitrary code with privileges of the user running 3proxy. III.CREDIT: ---------- Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab guys. V.DISCLAIMS: ----------- The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use. VENUSTECH Security Lab VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn) Security Trusted {Solution} Provider Service Reproducible: Always Steps to Reproduce: 1.run the 3proxy-ftpr 2.nc to the 3proxy ftp proxy port(21) 3.type double OPEN x.x.x.x under nc. 4.the x.x.x.x should be connectable. mrness@gentoo.org 2007-10-23 13:43:51 0000 net-proxy/3proxy-0.5.3j is now in the tree. Arches should take it from here. keytoaster@gentoo.org 2007-10-23 17:33:05 0000 *** Bug 196811 has been marked as a duplicate of this bug. *** keytoaster@gentoo.org 2007-10-23 17:38:10 0000 Thanks. Arches, please mark stable net-proxy/3proxy-0.5.3j. Targets are: "amd64 ppc x86" fauli@gentoo.org 2007-10-24 14:16:33 0000 x86 stable dertobi123@gentoo.org 2007-10-24 17:38:35 0000 ppc stable miknix@gentoo.org 2007-11-02 23:06:30 0000 net-proxy/3proxy-0.5.3j * Emerges on AMD64. * Tested: socks, tcppm, udppm, proxy, ftppr IMHO It would be nice to have a default config in /etc and a init.d script. - - Portage 2.1.3.16 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.22-gentoo-r9 x86_64) ================================================================= System uname: 2.6.22-gentoo-r9 x86_64 AMD Turion(tm) 64 X2 Mobile Technology TL-56 Timestamp of tree: Wed, 31 Oct 2007 22:30:01 +0000 app-shells/bash: 3.2_p17 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.22-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -Os -msse3 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=k8 -Os -msse3 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X a52 aac acpi alsa amd64 amr bash-completion berkdb bitmap-fonts branding bzip2 cairo cli cracklib crypt cups dbus divx dvd dvdr emerald ffmpeg firefox flac fortran gd gdbm gif glade glib glitz gtk gtkspell hal iconv insecure-savers isdnlog javascript jpeg jpeg2k kqemu libnotify midi mmx mmxext mp2 mp3 mpeg mplayer mudflap musicbrainz mysql ncurses nls nptl nptlonly offensive ogg opengl openmp pam pcre png pppd python readline reflection samba sdl session smp spell spl sse sse2 ssl stream svg syslog taglib tcpd threads truetype truetype-fonts type1 type1-fonts unicode v4l v4l2 vhosts vim-syntax vorbis xcomposite xorg xosd xpm xscreensaver xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev synaptics" KERNEL="linux" LCD_DEVICES="xosd" USERLAND="GNU" VIDEO_CARDS="nv nvidia none" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS mrness@gentoo.org 2007-11-03 08:43:40 0000 (In reply to comment #6) > IMHO It would be nice to have a default config in /etc and a init.d script. IMO installing a init script for every proxy will clutter the init.d directory. Most probably the user wants only one or two programs anyway. angelos@gentoo.org 2007-11-04 14:14:50 0000 amd64 stable py@gentoo.org 2007-11-08 20:52:26 0000 GLSA 200711-13