A security flaw has been identified in Tinyproxy, a lightweight HTTP/HTTPS proxy daemon widely used in small network environments.
The vulnerability, cataloged under CVE-2023-49606, allows remote attackers to execute arbitrary code on the host machine.
This flaw poses a critical risk as it could enable attackers to gain unauthorized access to network resources, potentially leading to further exploitation of internal systems.
Tinyproxy is designed to be a minimalistic proxy solution, which makes it popular in environments where system resources are limited and a full-featured proxy would be impractical.
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
- Real-time Detection
- Interactive Malware Analysis
- Easy to Learn by New Security Team members
- Get detailed reports with maximum data
- Set Up Virtual Machine in Linux & all Windows OS Versions
- Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
Despite its benefits, this vulnerability highlights a severe risk of its deployment, especially in security-sensitive environments.
CVE-2023-49606 – HTTP Connection Headers use-after-free vulnerability
The vulnerability stems from improper memory handling within Tinyproxy’s HTTP request parsing mechanism.
Attackers can exploit this flaw by sending specially crafted HTTP requests to the affected server.
This triggers a buffer overflow or a use-after-free error, leading to arbitrary code execution under the privileges of the Tinyproxy process.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free
.
Tinyproxy does exactly that in the remove_connection_headers() function:
static int remove_connection_headers (orderedmap hashofheaders)
         {
                static const char *headers[] = {
                        "connection",
                        "proxy-connection"
                };
                for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) {
                        /* Look for the connection header. If it's not found, return. */
                        data = orderedmap_find(hashofheaders,headers[i]);                       (1)
                        if (!data)
                                return 0;                                                        (2)
                                                  ...      Â
                        ptr = data;               Â
                        while (ptr < data + len) {
                                orderedmap_remove (hashofheaders, ptr);                          (3)
                                                                       ...      Â
                        }
                        /* Now remove the connection header it self. */
                        orderedmap_remove (hashofheaders, headers[i]);                           (4)
                              }
                              return 0;
         }
Exploit Proof of Concept
As mentioned, the PoC for the vulnerability is a very simple HTTP request. One variation is:
GET / HTTP/1.1
 Connection: Connection
 Host: 192.168.86.166:8000
Assuming there is an actual host at 192.168.86.166:8000, one can do:
 cat heap-uaf.poc | nc 127.0.0.1 8888
With the relevant tinyproxy.config being:
Port 8888
 Listen 127.0.0.1
 The issue was first reported by the Cisco Talos Intelligence Group, which regularly scans popular open-source software for security vulnerabilities.
Following the discovery, patches and updates were swiftly released to mitigate the risk.
Users of Tinyproxy are urged to update to the latest version to protect against potential exploits.
Mitigation and Recommendations
For network administrators and users of Tinyproxy, it is crucial to apply the security patches provided by the developers immediately.
Additionally, monitoring network activity for any unusual behavior that might indicate an attempt to exploit this vulnerability is recommended.
Organizations should also consider implementing additional security measures such as intrusion detection systems (IDS) and regular security audits to protect their networks further.
Given the nature of this vulnerability, it is also advisable to restrict the network access to Tinyproxy servers, ensuring that only trusted devices can communicate with the proxy.
While Tinyproxy offers significant advantages for small networks, this incident reminds us of the importance of maintaining up-to-date security practices, even in less resource-intensive applications.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide