Bug 112648

Summary: net/dante: & net/socks5: Buffer Overflow in some SOCKS Server
Product: Ports & Packages Reporter: Raffaele De Lorenzo <raffaele.delorenzo>
Component: Individual Port(s)Assignee: Anders Nordby <anders>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Raffaele De Lorenzo 2007-05-14 08:00:10 UTC 
I have detected a buffer overflow in DANTE SOCKS Server and in NEC SOCKS5
Server, that could be used for some attack.
 
The issue has been seen during the "connect" phase of the socks4 protocol
(and maybe also socks5...) in the tcp connection. Maybe this happends also
in socks5.... 

According to the NEC RFC (socks4), socks4 packet, during the connect phase,
has the size 9BYTE + X (where X is a variable for an optional username).

If you queue at the end of the packet some other bytes (i have queued more
than 3 bytes), the server still accept the connection and continue the tcp
negotiation, reusing the bytes appended. This can cause possible issues
and allow malitious uses to run code in the server machine. This propblem
is also presented in Linux OS...
Comment 1 Remko Lodder freebsd_committer freebsd_triage 2007-05-14 08:35:57 UTC 
State Changed
From-To: open->feedback

Hello, 

As far as I am aware there is no SOCKS server by default in FreeBSD, can
you confirm that this is a report about the basesystem of FreeBSD? (No
contributed and/or port application?) 

If this falls outside of the FreeBSD src/ scope please report the issue
upstream so that it will get fixed for the entire world and we can
incorporate that instead. 

Thanks, 
Remko
Comment 2 Remko Lodder freebsd_committer freebsd_triage 2007-05-14 11:44:42 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-ports-bugs

Although I doubt that we should be handling this, set this to the correct 
group (I got confirmation that this is about ports, not the base system).
Comment 3 Mark Linimon freebsd_committer freebsd_triage 2007-05-24 12:12:19 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->anders

Over to maintainer of net/dante, at least for determining if it should be 
marked FORBIDDEN.
Comment 4 Anders Nordby freebsd_committer freebsd_triage 2007-06-04 21:52:14 UTC 
State Changed
From-To: feedback->closed
Comment 5 Anders Nordby freebsd_committer freebsd_triage 2007-06-04 21:56:20 UTC 
Hi,

Dante developers believe there is no such overflow, and I don't see how
your email shows there is one. If you really think there is an issue, 
maybe you should report it to dante-bugs@inet.no.

Bye,

-- 
Anders.
Comment 6 Anders Nordby freebsd_committer freebsd_triage 2007-06-04 22:03:03 UTC 
State Changed
From-To: closed->feedback

Sorry. I did not intend to close this PR now. I want the originators 
feedback.
Comment 7 Mark Linimon freebsd_committer freebsd_triage 2007-06-09 17:41:46 UTC 
State Changed
From-To: feedback->closed

From misfiled PR ports/113491: 

Date: Sat, 9 Jun 2007 10:44:23 +0200