Title: 3proxy select() Bitmap Remote Buffer Overflow Vulnerability
Severity: HIGH
Description:
3proxy is a small SOCKS proxy server set available under GPL license.
3proxy is prone to a buffer overflow due to implementation of the select() system call.
The select() system call is used for multiplexing multiple I/O streams on many Unix and Unix-like systems. To implement the system call, a process must set bits corresponding to descriptors in use in a bitfield of a predefined size. The system call and predefined macros compiled into the program code will set or clear bits based on the status of the descriptors. The structure storing the bitfield, fd_set, is allocated in user-space, typically on the stack as a local variable. The API does not check to ensure that the descriptor passed to either select() or processed by code from a macro is greater than the maximum file descriptor value defined for the structure. Both select() and the macro code will modify bits in memory neighboring the bitfield if a descriptor beyond the maximum is supplied. It is therefore up to the developer of an application which relies on select() to ensure that this never occurs.
This vulnerability allows for an attacker to manipulate bits (at least one) in memory at an address numerically greater than the fd_set structure. The vulnerability would be exploited by an attacker initiating many connections to a server and then sending data to the connections, or not, to manipulate the bit values. Servers or clients most at risk are those that do not fork() for each connection, relying instead purely on select() for I/O multiplexing. Remote code execution may be possible.
This vulnerability was reported to affect 3proxy 0.4. Earlier versions may also be vulnerable.
Affected Products:
- 3proxy 3proxy 0.4.0
References:
- 3proxy: 3proxy
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
