Process-creation bug in SocksCAP

March 13, 2010

This is written for Google/Bingle — regular readers of this blog won't care about it at all.

I recently had to diagnose a problem with SocksCAP 2.40, a Windows program described as:

Automatically enables Windows-based TCP and UDP networking client applications to traverse a SOCKS firewall. SocksCap intercepts the networking calls from WinSock applications and redirects them through the SOCKS server without modifying the original application, the operating system software or drivers.

A customer of a customer was using this in a heavily locked-down environment, where all desktops were required to run through a proxy server, to enable some line-of-business software which did not honor proxy settings on its own. SocksCAP intercepted network calls to run them through the local SOCKS proxy.

The application ran fine until it attempted an app-specific auto-update. After successfully fetching the updated files to a temporary directory, it attempted to run an updater program which would install and patch the program in place. This failed every time.

At first we were sure this was a bug in the application itself, but it turned out to be SocksCAP.

SocksCAP was intercepting the CreateProcess() call from the main app so it could automatically SOCKS-ify the subprocess (definitely a helpful/useful trick), but it was not able to handle the very long command line required by the auto-updater program.

After enabling logging in SocksCAP, its logfile showed the full, correct command line, but Process Monitor from Microsoft SysInternals showed that CreateProcess() was given the corrupted command line.

It looked to me like it was blowing up after around 256 characters, so this has all the hallmarks of a fixed-length buffer with a poorly-chosen size.

Since the updater command-line included several filenames based on %TMP%, our workaround changed %TMP% to C:\T\ instead of the long Documents-and-Settings path that's the usual. This brought the command line under the blow-up limit.

I've not been able to find the source, or even recent support, for SocksCAP, so I doubt that a real fix will ever happen, but hopefully this post will help others in my place get to the bottom of this with less pain than it took me.

Posted at 12:16 PM | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8357ac57769e201310f995119970c

Listed below are links to weblogs that reference Process-creation bug in SocksCAP:

Comments

Verify your Comment

Previewing your Comment

Posted by: |

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:

Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Post a comment

ABOUT STEVE

Steve Friedl is a software and network security consultant in Southern California. He has been a C and UNIX developer since 1981 and has an exceptionally broad background in this area. Some areas of expertise include:
- C and C++ systems software development on the UNIX and Win32 platforms
- Communications, including serial and TCP/IP based controllers
- Enterprise internet security administration and configuration
- Penetration tests, audits, and network reviews
- Security forensics, reverse engineering, and tools development
- General UNIX and Windows system/network administration
- The Windows Printing System
- Database software development
- Technology problem solving and research
- Technical writing and standup training

I had a backup. Really.

March 13, 2010