Vigil@nce: Socks Server, malicious request sending
July 2009 by Vigil@nce
An attacker can send a malicious query to Socks Server, so that it
will send another malicious query.
Severity: 2/4
Consequences: data reading, data creation/edition
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 08/07/2009
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The Socks Server proxies TCP sessions or UDP data. The second byte
of a Socksv5 packet indicates the wanted proxy type:
– CONNECT (1) : TCP client
– BIND (2) : TCP server
– UDP_ASSOCIATE (3) : UDP data
The RequestParsing() function of the SS5Mod_socks4.c or
SS5Mod_socks5.c module does not check if the proxy type indicated
in the query is superior to 3. This error has no impact in the
main code of Socks Server. However, the V52V4Request() function,
which creates the query for a chained proxy in version 4, uses
this invalid value. The second proxy thus receives this invalid
value, which may have an impact on its security.
An attacker can therefore send a malicious query to Socks Server,
so that it will send another malicious query.
CHARACTERISTICS
Identifiers: BID-35587, CVE-2009-2368, VIGILANCE-VUL-8846
http://vigilance.fr/vulnerability/Socks-Server-malicious-request-sending-8846