Pierluigi Paganini
May 08, 2024
Researchers from Cisco Talos reported a use-after-free vulnerability in the HTTP Connection Headers parsing of Tinyproxy 1.11.1 and Tinyproxy 1.10.0. The issue is tracked as CVE-2023-49606 and received a CVSS score of 9.8. The exploitation of the issue can potentially lead to remote code execution.
“A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.” reads the advisory.
Tinyproxy is an open-source HTTP proxy daemon designed for simplicity and efficiency.
The vulnerability impacts over 90,000 hosts that expose a Tinyproxy service on the internet. Talos researchers published a proof-of-concept exploit code for this vulnerability.
“As of May 3, 2024, Censys observed over 90,000 hosts exposing a Tinyproxy service, ~57% of which are potentially vulnerable to this exploit.” reads the report.
Most of the exposed hosts are in the United States, followed by South Korea and China.
| Country | Host Count | Percentage |
| United States | 32846 | 36.37% |
| South Korea | 18358 | 20.33% |
| China | 7808 | 8.65% |
| France | 5208 | 5.77% |
| Germany | 3680 | 4.07% |
Maintainers of the project temporarily addressed the issue with the release of version 1.11.1. tinyproxy 1.11.2 release will definitively fix the issue.
the code may appear naive, but it allows to circumvent the allocation of more memory which could fail again. the straight-forward fix would be to strdup the value retrieved from the key/value store, and then work on that and free it later.
so it seems most tinyproxy users won’t have to worry – because who runs an entirely open proxy on the open internet these days ?”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RCE)
