dproxy-nexgen remote

2007.04.05
Credit: Alexander Klink
Risk: Medium
Local: Yes
Remote: Yes
CVE: CVE-2007-1866
CWE: N/A


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Hi mu-b & all, On Sat, Mar 31, 2007 at 01:18:00AM +0100, mu-b wrote: ><i> attached is an exploit for the latest dproxy-nexgen, seems the </I>><i> latest version is just as bad as the previous dproxy-0.5... </I>Good work, definitely looks like it. Here is a small patch on what I needed to change/add to make it work on my Debian stable test image: --- dproxy-v1.c.orig 2007-03-31 11:12:39.000000000 +0200 +++ dproxy-v1.c 2007-03-31 11:10:41.000000000 +0200 @@ -41,7 +41,7 @@ "x0bx52x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52x53" "x89xe1xcdx80"; -#define NUM_TARGETS 1 +#define NUM_TARGETS 2 struct target_t { @@ -58,6 +58,9 @@ {"dproxy-nexgen (tar.gz)", 512, 25, bndshell_lnx, 284, 0x08048cf9} , + {"dproxy-nexgen (tar.gz, Debian stable)", + 512, 25, bndshell_lnx, 281, 0x08048cf8} + , {0} }; With that patch it works just fine and is indeed the missing link to say that dproxy is remote-root exploitable in all versions. The case with dproxy-nexgen is much worse than with dproxy 0.1-0.5, though, as it is used in a number of WLAN APs, at least the following: - Linksys WRT54AG [0] - Linksys WRT54G with the BatBox firmware replacement [0] - Asus WL500g [1] - Netgear DG834G [2] - FRITZ!Box WLAN 7170 (and possibly others) [3] ><i> problem exists because of lack of NULL checking in dns_decode_reverse_name... </I>I was roughly expecting something like this, but did not have enough time to look into it deeper. dns_decode_name looks vulnerable to me, too, as name is 255 bytes and buf is a max of 512. So asking for the DNS name 255xA.255x[overflow] should be another option. I guess we can conclude that dproxy is quite broken (from what I read on the web, not only security-wise) and should be replaced. Best regards, Alex [0]: http://dproxy.sf.net [1]: http://wl500g.info/showthread.php/?p=7945 [2]: http://www.galliford.org/dg834g/ [3]: http://www.ip-phone-forum.de/showthread.php?t=78556&page=2 (german) -- Dipl.-Math. Alexander Klink | IT-Security Engineer | a.klink at cynops.de mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de ----------------------------+----------------------+--------------------- HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Gesch&#228;ftsf&#252;hrer: Bad Homburg v. d. H&#246;he | | Martin Bartosch


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top