Bug 112649

Summary: Buffer Overflow in some SOCKS Server
Product: Base System Reporter: Raffaele De Lorenzo <raffaele.delorenzo>
Component: miscAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description Raffaele De Lorenzo 2007-05-14 08:00:11 UTC 
I have detected a buffer overflow in DANTE SOCKS Server and in NEC SOCKS5 Server, that could be used for some attack.
 
The issue has been seen during the "connect" phase of the socks4 protocol (and maybe also socks5...) in the tcp connection. Maybe this happends also in socks5.... 
According to the NEC RFC (socks4), socks4 packet, during the connect phase, has the size 9BYTE + X (where X is a variable for an optional username).
If you queue at the end of the packet some other bytes (i have queued more than 3 bytes), the server still accept the connection and continue the tcp negotiation, reusing the bytes appended. This can cause possible issues and allow malitious uses to run code in the server machine. This propblem is also presented in Linux OS...
Comment 1 Remko Lodder freebsd_committer freebsd_triage 2007-05-14 08:03:54 UTC 
State Changed
From-To: open->closed

duplicate of 112648