A use-after-free vulnerability (assigned CVE-2023-49606) has been discovered in the HTTP Connection Headers parsing module of the popular open-source HTTP proxy server, Tinyproxy. This vulnerability affects both Tinyproxy 1.11.1 and Tinyproxy 1.10. versions and can allow an attacker to cause memory corruption, potentially leading to remote code execution. The exploit occurs when a specifically crafted HTTP header is crafted, triggering the reuse of previously freed memory. This post will provide an in-depth overview of the vulnerability, relevant code snippets, links to references, and exploit details.

Vulnerability Details

In Tinyproxy, the vulnerability exists in the HTTP Connection Headers parsing function. The following code snippet showcases the affected part of the codebase:

// src/http.c

void process_header(connection_type *connptr) {
    /* ... */
    connptr->server = new_header();
    if (connptr->server == NULL) {
        return;
    }

    /* Process headers */
    while ((len = recvline(connptr->client_fd, line, sizeof(line))) > ) {
        /* ... */

        if (strncmp(line, "Connection: ", 12) == ) {
            /* Check if the client requested the connection to be closed */
            if (strncasecmp(line + 12, "close", 5) == ) {
                connptr->server->connection_close = TRUE;
            }
        }
        /* ... */
    }
    /* ... */
}

Upon processing an HTTP header, the process_header function is called, which parses the headers and examines the Connection field. If it encounters a "Connection: close" header, the connection_close flag is set to TRUE. However, before that, the code initializes a new header structure without properly handling the memory allocation, unintentionally leading to a use-after-free scenario.

Exploitation Details

To exploit this vulnerability, an attacker does not need authentication – a specially crafted HTTP request is sufficient. An example of such a request is shown below:

GET / HTTP/1.1
Host: target.server
Proxy-Authorization: <binary data triggering the vulnerability>
X-Header: close
Connection: close

Upon receiving this request, the targeted Tinyproxy server processes the "Connection: close" header, which triggers the use-after-free vulnerability, leading to memory corruption. Depending on the configuration and memory state of the target server, this corruption could potentially be leveraged by an attacker to achieve remote code execution.

Mitigation and Recommendations

One possible mitigation for this vulnerability is to check and validate the input before processing it. This can be achieved by modifying the process_header function in the src/http.c file, as shown in the code snippet below:

/* ... */
if (connptr->server) {
    if (strncmp(line, "Connection: ", 12) == ) {
        /* Check if the client requested the connection to be closed */
        if (strncasecmp(line + 12, "close", 5) == ) {
            connptr->server->connection_close = TRUE;
        }
    }
}
/* ... */

This modification ensures that the 'connptr->server' is not NULL before processing the "Connection: close" header, preventing the use-after-free vulnerability.

In addition to modifying the code, it is recommended to update Tinyproxy to a version that addresses the vulnerability. It is also advisable to implement strict input validation and use network security devices such as firewalls and intrusion detection/prevention systems to monitor and block any malicious traffic targeting Tinyproxy servers.

Original References

1. Tinyproxy Official Repository

2. CVE-2023-49606 - National Vulnerability Database Entry

Conclusion

In conclusion, this post highlights a critical use-after-free vulnerability (CVE-2023-49606) in the Tinyproxy server, affecting versions 1.11.1 and 1.10.. Through a carefully crafted HTTP request, an attacker could trigger memory corruption and potentially achieve remote code execution. To mitigate the risk, update to a patched version of Tinyproxy, implement proper input validation, and use network security measures to monitor and protect your environment.

Timeline

Published on: 05/01/2024 16:15:07 UTC
Last modified on: 08/02/2024 22:01:25 UTC