Vigil@nce: Socks Server, malicious request sending
July 2009 by Vigil@nce
An attacker can send a malicious query to Socks Server, so that it will send another malicious query.
Consequences: data reading, data creation/edition
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 08/07/2009
Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The Socks Server proxies TCP sessions or UDP data. The second byte of a Socksv5 packet indicates the wanted proxy type:
CONNECT (1) : TCP client
BIND (2) : TCP server
UDP_ASSOCIATE (3) : UDP data
The RequestParsing() function of the SS5Mod_socks4.c or SS5Mod_socks5.c module does not check if the proxy type indicated in the query is superior to 3. This error has no impact in the main code of Socks Server. However, the V52V4Request() function, which creates the query for a chained proxy in version 4, uses this invalid value. The second proxy thus receives this invalid value, which may have an impact on its security.
An attacker can therefore send a malicious query to Socks Server, so that it will send another malicious query.
Identifiers: BID-35587, CVE-2009-2368, VIGILANCE-VUL-8846