POC详情: 8e08bb031b2cddb1619e2ac2f2e32b366a5f3d38

来源
https://github.com/d0rb/CVE-2023-49606
关联漏洞
标题: Tinyproxy 资源管理错误漏洞 (CVE-2023-49606)
描述:Tinyproxy是Tinyproxy开源的一个小型、高效的 HTTP/SSL 代理守护程序。 Tinyproxy 1.11.1版本和1.10.0版本存在资源管理错误漏洞,该漏洞源于存在释放后重用漏洞,可以导致内存损坏和远程代码执行。
描述
Critical use-after-free vulnerability discovered in Tinyproxy
介绍

<div align="center">

[![Profile Visitors](https://komarev.com/ghpvc/?username=d0rb&label=Visitors&color=0e75b6&style=flat)](https://komarev.com/ghpvc/?username=d0rb)

 #  🇮🇱  **#BringThemHome #NeverAgainIsNow**   🇮🇱

**We demand the safe return of all citizens who have been taken hostage by the terrorist group Hamas. We will not rest until every hostage is released and returns home safely. You can help bring them back home.
https://stories.bringthemhomenow.net/**
</div>

# CVE-2023-49606: Tinyproxy Use-After-Free Vulnerability Analysis

🚨 **Critical Vulnerability Alert** 🚨

## Technical Report on CVE-2023-49606 in Tinyproxy

### Vulnerability Overview

🔍 **CVE-2023-49606** is a critical use-after-free vulnerability discovered in Tinyproxy, a lightweight HTTP/S proxy server. This flaw is present in the handling of HTTP Connection Headers within the versions 1.11.1 and 1.10.0 of Tinyproxy. This vulnerability allows for potential denial of service (DoS) attacks and, under specific circumstances, could lead to remote code execution (RCE).

### Affected Versions

- Tinyproxy 1.11.1
- Tinyproxy 1.10.0

📈 **CVSS Score**: 9.8 (Critical)

### Vulnerability Details

The vulnerability stems from improper management of memory when handling HTTP headers. The source code in `http-message.c` handles memory operations for HTTP headers, including allocation, reallocation, and deallocation. The issue likely arises in the context of memory reallocation and subsequent access to freed memory, which is not correctly nullified.

### Code Analysis

Here is an excerpt of the relevant code from `http-message.c`:

```c
/* Function to add headers to the HTTP message structure */
void http_message_add_headers(http_message_t *msg, const char **headers, unsigned int num_headers) {
    const char **new_headers;
    unsigned int i;

    if (headers == NULL) {
        return;
    }

    // Check if there is enough space, if not, reallocate
    if (msg->headers.used + num_headers > msg->headers.total) {
        new_headers = (const char **) safecalloc (msg->headers.total * 2, sizeof(char *));
        if (new_headers == NULL) {
            return;  // Allocation failed, potential for use-after-free if not handled
        }

        // Copy existing headers to the new array
        for (i = 0; i != msg->headers.used; ++i) {
            new_headers[i] = msg->headers.strings[i];
        }
        safefree(msg->headers.strings);  // Free old array
        msg->headers.strings = new_headers;  // Danger if old pointers are used post this point
        msg->headers.total *= 2;
    }

    // Add new headers to the structure
    for (i = 0; i != num_headers; ++i) {
        msg->headers.strings[i + msg->headers.used] = headers[i];
    }
    msg->headers.used += num_headers;
}
文件快照

 [4.0K]  /data/pocs/8e08bb031b2cddb1619e2ac2f2e32b366a5f3d38
├── [1.7K]  PoC.c
└── [2.7K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。