Sun Microsystems says two buffer overflows in the SOCKS module of its Sun Java System Web Proxy Server 4.0 can give a remote attacker the privileges of a superuser.
The server acts as a network traffic manager, collecting network data, figuring out where it should go and distributing it accordingly, thus cutting down on the number of requests going out to remote content servers. The server also acts as a secure gateway for content distribution. The proxy services it runs include HTTP and SOCKSv5.
iDefense Labs—which Sun is crediting for alerting the company to the buffer overflows—said that remote exploitation of multiple stack-based buffer overflows in the server allows unauthenticated attackers to execute arbitrary code with superuser privileges.
iDefense says that the problem is with the “sockd” daemon, which implements SOCKS proxy support for the Web Proxy server. The security company says that attackers can trigger a buffer overflow by manipulating certain bytes during protocol negotiation. A successful exploit will give an attacker the ability to hijack the system with the privileges of a user running “sockd.” Sun says that the SOCKS server normally runs with root privileges.
iDefense says that an attacker doesnt need authentication to trigger the buffer overflows—only the ability to open a session with the SOCKS server. Sun pointed out that one of the vulnerabilities—its BugID 6537736—does in fact require authentication, but the default configuration on the SOCKS server is that no authentication is required for access.
“The server runs under a watchdog process which will restart the server in cases when it will fail. This allows attackers to repeatedly attempt to exploit the issue,” iDefense said.
Sun says that Sun Java System Web Proxy Server 4.0.4 or earlier versions are susceptible to the vulnerability. The company has released an update to address the problem in all affected platforms: SPARC, x86, Linux, Windows, HP-UX and AIX.
Patches are available here.
Sun says that a successful exploit wont demonstrate any predictable symptoms.
A workaround is to disable the SOCKS proxy server and to use firewalls to limit access to the affected service by untrusted users.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.