Impact
ProxyBridge Windows versions 3.0 and earlier contain two critical vulnerabilities in the UDP and TCP relay servers that allow remote attackers to execute arbitrary code on ProxyBridge running with Administrator privileges.
Vulnerability 1: Buffer Overflow
The UDP relay server performs unchecked memcpy operations on network data without validating the packet size. An attacker can send packets larger than MAXBUF-10 (65525 bytes) to overflow the send buffer, which causes the application to crash. By carefully crafting the oversized packet, an attacker can exploit this buffer overflow to perform privilege escalation and gain control of the system.
Vulnerability 2: Use-After-Free / Race Condition
The UDP relay server has a critical flaw where it continues to use connection pointers after releasing the mutex lock that protects them. When multiple packets arrive at the same time, this creates a race condition where one thread can free a connection structure while another thread is still using it. This use-after-free behaviour causes the application to crash. An attacker can exploit this race condition in combination with the buffer overflow vulnerability to achieve remote code execution and perform privilege escalation, potentially gaining full control of the system with ADMINISTRATOR privileges.
Impact:
- Remote Code Execution (RCE) as ADMINISTRATOR
- Privilege escalation
Patches
Fixed in version 3.1.0:
- Relay Server accepts connections from localhost redirect
- Relay Server restricts the external incoming connection with WFP
- Added buffer overflow protection with bounds checking
- Fixed use-after-free by copying connection data before mutex release
Anof-cyber Remediation developer
Impact
ProxyBridge Windows versions 3.0 and earlier contain two critical vulnerabilities in the UDP and TCP relay servers that allow remote attackers to execute arbitrary code on ProxyBridge running with Administrator privileges.
Vulnerability 1: Buffer Overflow
The UDP relay server performs unchecked memcpy operations on network data without validating the packet size. An attacker can send packets larger than MAXBUF-10 (65525 bytes) to overflow the send buffer, which causes the application to crash. By carefully crafting the oversized packet, an attacker can exploit this buffer overflow to perform privilege escalation and gain control of the system.
Vulnerability 2: Use-After-Free / Race Condition
The UDP relay server has a critical flaw where it continues to use connection pointers after releasing the mutex lock that protects them. When multiple packets arrive at the same time, this creates a race condition where one thread can free a connection structure while another thread is still using it. This use-after-free behaviour causes the application to crash. An attacker can exploit this race condition in combination with the buffer overflow vulnerability to achieve remote code execution and perform privilege escalation, potentially gaining full control of the system with ADMINISTRATOR privileges.
Impact:
Patches
Fixed in version 3.1.0: