🇮🇱 #BringThemHome #NeverAgainIsNow 🇮🇱

We demand the safe return of all citizens who have been taken hostage by the terrorist group Hamas. We will not rest until every hostage is released and returns home safely. You can help bring them back home. https://stories.bringthemhomenow.net/

CVE-2023-49606: Tinyproxy Use-After-Free Vulnerability Analysis

🚨 Critical Vulnerability Alert 🚨

Technical Report on CVE-2023-49606 in Tinyproxy

Vulnerability Overview

🔍 CVE-2023-49606 is a critical use-after-free vulnerability discovered in Tinyproxy, a lightweight HTTP/S proxy server. This flaw is present in the handling of HTTP Connection Headers within the versions 1.11.1 and 1.10.0 of Tinyproxy. This vulnerability allows for potential denial of service (DoS) attacks and, under specific circumstances, could lead to remote code execution (RCE).

Affected Versions

• Tinyproxy 1.11.1
• Tinyproxy 1.10.0

📈 CVSS Score: 9.8 (Critical)

Vulnerability Details

The vulnerability stems from improper management of memory when handling HTTP headers. The source code in http-message.c handles memory operations for HTTP headers, including allocation, reallocation, and deallocation. The issue likely arises in the context of memory reallocation and subsequent access to freed memory, which is not correctly nullified.

Code Analysis

Here is an excerpt of the relevant code from http-message.c:

/* Function to add headers to the HTTP message structure */
void http_message_add_headers(http_message_t *msg, const char **headers, unsigned int num_headers) {
    const char **new_headers;
    unsigned int i;

    if (headers == NULL) {
        return;
    }

    // Check if there is enough space, if not, reallocate
    if (msg->headers.used + num_headers > msg->headers.total) {
        new_headers = (const char **) safecalloc (msg->headers.total * 2, sizeof(char *));
        if (new_headers == NULL) {
            return;  // Allocation failed, potential for use-after-free if not handled
        }

        // Copy existing headers to the new array
        for (i = 0; i != msg->headers.used; ++i) {
            new_headers[i] = msg->headers.strings[i];
        }
        safefree(msg->headers.strings);  // Free old array
        msg->headers.strings = new_headers;  // Danger if old pointers are used post this point
        msg->headers.total *= 2;
    }

    // Add new headers to the structure
    for (i = 0; i != num_headers; ++i) {
        msg->headers.strings[i + msg->headers.used] = headers[i];
    }
    msg->headers.used += num_headers;
}