Tinyproxy Integer Overflow Vulnerability in Port Parsing Allowing Filter Bypass

A remote integer overflow vulnerability has been identified in Tinyproxy versions through 1.11.2. The issue arises in the 'strip_return_port()' function within 'src/reqs.c', where the proxy improperly handles oversized numeric port values. This oversight allows attackers to bypass Tinyproxy's port restrictions, potentially accessing blocked destinations and exploiting internal services or management ports for unauthorized privilege escalation.

Impact

Exploitation of this vulnerability can lead to a security policy bypass, allowing access to internal services or escalation of privileges through restricted management ports.

Reproduction

To reproduce this vulnerability, first set up Tinyproxy to block port 5000 by creating a filter file that denies access to 'localhost:5000' and '127.0.0.1:5000'. After restarting Tinyproxy, send a normal request to port 5000, which will be blocked. Then, send a request to 'localhost' using a crafted port number that exploits the integer overflow, such as 'localhost:4294967440'. Tinyproxy will incorrectly process this port as '5000', bypassing the filter and allowing access to the blocked service.

Remediation

Users are advised to update to the patched version of Tinyproxy, which includes a fix for the integer overflow vulnerability in port number processing.