rofl0r/proxychains-ng Stack-Based Buffer Overflow Vulnerability in Proxy Configuration Parsing

A stack-based buffer overflow vulnerability has been identified in rofl0r/proxychains-ng versions through 4.17, prior to commit cc005b7. The issue resides in the function proxy_from_string() within src/libproxychains.c. The vulnerability arises from a missing bounds check when parsing proxy configuration entries that contain excessively long username or password fields. This oversight allows the application to write beyond the limits of fixed-size stack buffers, resulting in memory corruption or crashes. Consequently, the vulnerability can cause a denial-of-service condition and, under certain circumstances, may be exploited further, depending on the execution environment and existing mitigations.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, causing memory corruption and application crashes. This disruption creates a denial-of-service condition. Additionally, in some environments, this type of memory corruption could be leveraged for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using a crafted proxy configuration file that includes username or password fields exceeding 255 bytes. When proxychains-ng is run with this configuration, the application will parse the oversized fields, leading to a stack buffer overflow. This can be automated with a simple script or tool that generates such a configuration file and then invokes proxychains-ng with it.

Remediation

Users can upgrade to version 4.17 or later, or apply the patch available in commit cc005b7. If maintaining a packaged distribution that cannot immediately upgrade, the patch can be backported by applying the single-line change in src/libproxychains.c, removing the proxy type condition from the bounds check.