COMMAND
AnalogX
SYSTEMS AFFECTED
AnalogX prior to 4.05
PROBLEM
Following is based on a Foundstone Security Advisory. AnalogX
Proxy is a simple but effective proxy server that has the ability
to proxy requests for the following services: HTTP, HTTPS,
SOCKS4, SOCKS4a, SOCKS5, NNTP, POP3, SMTP, FTP.
Using commands of an appropriate length, many of the services
exhibit unchecked buffers causing the proxy server to crash with
an invalid page fault thus creating a denial of service. Normally
this would only be a concern for users on the LAN side of the
proxy, but by default Proxy is configured to bind to all
interfaces on the host and so this would be exploitable remotely
from over the Internet.
Standard commands of an appropriate size issued to the FTP, SMTP,
POP3 and SOCKS services cause page faults bringing the entire
program to a halt.
Sending an FTP "USER" command containing approximately 370 or
more characters to the proxy server FTP TCP port 21 will crash
it.
Example #1:
nc 192.168.1.2 21 < ftp.txt
Where ftp.txt contains:
USER [long string of ~370 chars]@isp.com
Sending an SMTP "HELO" command containing approximately 370 or
more characters to the proxy server SMTP TCP port 25 will crash
it.
Example #2:
nc 192.168.1.2 21 < smtp.txt
Where smtp.txt contains:
HELO [long string of ~370 chars]@isp.com
Sending a POP3 "USER" command containing approximately 370 or
more characters to the proxy server POP3 TCP port 110 will
crash it.
Example #3:
nc 192.168.1.2 21 < pop3.txt
Where pop3.txt contains:
USER [long string of ~370 chars]@isp.com
Sending a SOCKS4 "CONNECT" request with an overly large user ID
field of roughly 1800 characters or more to the proxy server SOCKS
TCP port 1080 will crash it.
Example #4:
nc 192.168.1.2 1080 < socks.dat
Where socks.dat contains binary data with a user ID field of
approx. 1800 bytes.
SOLUTION
Download Proxy 4.05 from
http://www.analogx.com/contents/download/network/proxy.htm
Prelimiary tests of the fix by Foundstone have confirmed the
problem is corrected.