DProxy Stack-Based Buffer-Overflow Vulnerability
BID:23112
Info
DProxy Stack-Based Buffer-Overflow Vulnerability
| Bugtraq ID: | 23112 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2007-1465 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 23 2007 12:00AM |
| Updated: | Mar 23 2007 06:13PM |
| Credit: | Alexander Klink discovered this issue. |
| Vulnerable: |
Matthew Pratt dproxy 0.5 Matthew Pratt dproxy 0.4 Matthew Pratt dproxy 0.3 Matthew Pratt dproxy 0.2 Matthew Pratt dproxy 0.1 |
| Not Vulnerable: | |
Discussion
DProxy Stack-Based Buffer-Overflow Vulnerability
Dproxy is prone to a stack-based buffer-overflow vulnerability because it fails to properly check boundaries on user-supplied data before copying it to an insufficiently sized buffer.
Exploiting this issue could lead to denial-of-service conditions and to the execution of arbitrary machine code in the context of the service.
Dproxy is prone to a stack-based buffer-overflow vulnerability because it fails to properly check boundaries on user-supplied data before copying it to an insufficiently sized buffer.
Exploiting this issue could lead to denial-of-service conditions and to the execution of arbitrary machine code in the context of the service.
Exploit / POC
DProxy Stack-Based Buffer-Overflow Vulnerability
The following exploit is available:
The following exploit is available:
Solution / Fix
DProxy Stack-Based Buffer-Overflow Vulnerability
Solution:
The vendor has reportedly stopped maintaining the vulnerable package. The dproxy-nexgen package was created as a replacement for dproxy, and is not vulnerable to this issue.
The reporter of this issue provided the following patch to address this issue. Symantec has not confirmed or tested this patch.
--- dproxy-0.5/dproxy.c 2000-02-03 04:15:35.000000000 +0100
+++ dproxy-0.5.patched/dproxy.c 2007-03-13 13:07:53.000000000 +0100
@@ -105,7 +105,7 @@
/* child process only here */
signal(SIGCHLD, SIG_IGN);
- strcpy( query_string, pkt.buf );
+ strncpy( query_string, pkt.buf, sizeof(query_string) );
decode_domain_name( query_string );
debug("query: %s\n", query_string );
Solution:
The vendor has reportedly stopped maintaining the vulnerable package. The dproxy-nexgen package was created as a replacement for dproxy, and is not vulnerable to this issue.
The reporter of this issue provided the following patch to address this issue. Symantec has not confirmed or tested this patch.
--- dproxy-0.5/dproxy.c 2000-02-03 04:15:35.000000000 +0100
+++ dproxy-0.5.patched/dproxy.c 2007-03-13 13:07:53.000000000 +0100
@@ -105,7 +105,7 @@
/* child process only here */
signal(SIGCHLD, SIG_IGN);
- strcpy( query_string, pkt.buf );
+ strncpy( query_string, pkt.buf, sizeof(query_string) );
decode_domain_name( query_string );
debug("query: %s\n", query_string );
References
DProxy Stack-Based Buffer-Overflow Vulnerability
References:
References:
- [Full-disclosure] dproxy - arbitrary code execution through stack buffer overflo (Alexander Klink)
- dproxy Home Page (Matthew Pratt)
- Security Advisory AKLINK-SA-2007-001 (Cynops GmbH)