====================================================================== Anon Proxy Server <= 0.102 remote buffer overflow ====================================================================== Author: L4teral <l4teral [4t] gmail com> Impact: remote buffer overflow Status: patch available ------------------------------ Affected software description: ------------------------------ Application: Anon Proxy Server Version: <= 0.102 Vendor: http://anonproxyserver.sourceforge.net Description: A fast http, https, socks caching proxy server. Easy web based configuration, optional p2p anonymous mode. -------------- Vulnerability: -------------- When user authentication is enabled, the server can be exploited by passing a long username containing quotes. The username is checked for length, but the function strquotecpy() in the file access.c escapes quote characters by prepending a backslash, enlarging the string without checking it for the resulting length. ------------ PoC/Exploit: ------------ Use the following perl code to generate a username triggering the buffer overflow when used for authentication: #!/usr/bin/perl print "A" x 430 . '"' x 29 . "A" x 40 . "\n"; The program will catch the exception and restart itself - attach a debugger to see the EIP overwrite. --------- Solution: --------- Upgrade to version 0.103 or higher. --------- Timeline: --------- 2008-01-27 - vendor informed 2008-01-28 - vendor released patch 2008-02-03 - public disclosure