Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-49606 PoC — Tinyproxy 资源管理错误漏洞

Source
https://github.com/d0rb/CVE-2023-49606
Associated Vulnerability
Title:Tinyproxy 资源管理错误漏洞 (CVE-2023-49606)
Description:Tinyproxy是Tinyproxy开源的一个小型、高效的 HTTP/SSL 代理守护程序。 Tinyproxy 1.11.1版本和1.10.0版本存在资源管理错误漏洞,该漏洞源于存在释放后重用漏洞,可以导致内存损坏和远程代码执行。
Description
Critical use-after-free vulnerability discovered in Tinyproxy
Readme

<div align="center">

[![Profile Visitors](https://komarev.com/ghpvc/?username=d0rb&label=Visitors&color=0e75b6&style=flat)](https://komarev.com/ghpvc/?username=d0rb)

 #  🇮🇱  **#BringThemHome #NeverAgainIsNow**   🇮🇱

**We demand the safe return of all citizens who have been taken hostage by the terrorist group Hamas. We will not rest until every hostage is released and returns home safely. You can help bring them back home.
https://stories.bringthemhomenow.net/**
</div>

# CVE-2023-49606: Tinyproxy Use-After-Free Vulnerability Analysis

🚨 **Critical Vulnerability Alert** 🚨

## Technical Report on CVE-2023-49606 in Tinyproxy

### Vulnerability Overview

🔍 **CVE-2023-49606** is a critical use-after-free vulnerability discovered in Tinyproxy, a lightweight HTTP/S proxy server. This flaw is present in the handling of HTTP Connection Headers within the versions 1.11.1 and 1.10.0 of Tinyproxy. This vulnerability allows for potential denial of service (DoS) attacks and, under specific circumstances, could lead to remote code execution (RCE).

### Affected Versions

- Tinyproxy 1.11.1
- Tinyproxy 1.10.0

📈 **CVSS Score**: 9.8 (Critical)

### Vulnerability Details

The vulnerability stems from improper management of memory when handling HTTP headers. The source code in `http-message.c` handles memory operations for HTTP headers, including allocation, reallocation, and deallocation. The issue likely arises in the context of memory reallocation and subsequent access to freed memory, which is not correctly nullified.

### Code Analysis

Here is an excerpt of the relevant code from `http-message.c`:

```c
/* Function to add headers to the HTTP message structure */
void http_message_add_headers(http_message_t *msg, const char **headers, unsigned int num_headers) {
    const char **new_headers;
    unsigned int i;

    if (headers == NULL) {
        return;
    }

    // Check if there is enough space, if not, reallocate
    if (msg->headers.used + num_headers > msg->headers.total) {
        new_headers = (const char **) safecalloc (msg->headers.total * 2, sizeof(char *));
        if (new_headers == NULL) {
            return;  // Allocation failed, potential for use-after-free if not handled
        }

        // Copy existing headers to the new array
        for (i = 0; i != msg->headers.used; ++i) {
            new_headers[i] = msg->headers.strings[i];
        }
        safefree(msg->headers.strings);  // Free old array
        msg->headers.strings = new_headers;  // Danger if old pointers are used post this point
        msg->headers.total *= 2;
    }

    // Add new headers to the structure
    for (i = 0; i != num_headers; ++i) {
        msg->headers.strings[i + msg->headers.used] = headers[i];
    }
    msg->headers.used += num_headers;
}
File Snapshot

 [4.0K]  /data/pocs/8e08bb031b2cddb1619e2ac2f2e32b366a5f3d38
├── [1.7K]  PoC.c
└── [2.7K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.