6791 : Squid ntlm_check_auth Function NTLM Authentication Helper Password Handling Remote Overflow
Printer | http://osvdb.org/6791 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
12	1839	over 7 years ago	8 months ago	8 times	100%

Timeline

Vendor Informed Date	Vendor Ack Date	Disclosure Date	Discovery Date	Exploit Publish Date
2004-05-20	2004-05-20	2004-06-08	2004-06-09	2004-06-09

Time to Exploit
0 days

Keywords

lmhash, base64

Description

A remote overflow exists in the Squid Internet Object Cache server. Squid fails to correctly test the length of the user-supplied LanMan Hash value in the ntlm_check_auth() function resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can execute arbitrary code on the system with the privileges the Squid process is running under. This flaw can only be exploited if Squid was compiled with the NTLM authentication helper enabled.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Workaround, Patch / RCS
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified

Technical

The problem exists in the ntlm_check_auth() function, located in the helpers/ntlm_auth/SMB/libntlmssp.c file. The "pass" buffer is located on the stack with a static size of 25 bytes. User-controlled data is copied to the "pass" buffer without any bounds checking via memcpy, leading to a standard stack-based buffer overflow and remote code execution.

Solution

A patch has been released for this vulnerability available from the Squid website. Additionally, Squid can be recompiled to disable NTLM authentication.

Products

University of California San Diego	Squid Internet Object Cache	2.5-STABLE5
		3.0-PRE3-230040720

References

Security Tracker: 1010434
Bugtraq ID: 10500
Secunia Advisory ID: 11804 11816 11819 11831 11838 11889 13044
ISS X-Force ID: 16360
CVE ID: 2004-0541 (see also: NVD)
Metasploit ID: 6791
SCIP VulDB ID: 698
Vendor Specific Advisory URL: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000882
http://www.gentoo.org/security/en/glsa/glsa-200406-13.xml
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:059
http://www.suse.de/de/security/2004_16_squid.html
Other Advisory URL: http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities
Generic Exploit URL: http://www.metasploit.com/projects/Framework/exploits.html#squid_ntlm_authenticate [ Link is 404 ]
Vendor URL: http://www.squid-cache.org/
Other Solution URL: http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch
Keyword: lmhash,base64
CIAC Advisory: o-168
RedHat RHSA: RHSA-2004:242-06

Tools & Filters

	12294 12504 12616 13717 13718 13832 14158 14524
Snort	12362 3-10481
	2185

Credit

Anonymous - iDefense Labs VCP

CVSSv2 Score

CVSSv2 Base Score = 10.0
Source: nvd.nist.gov | Generated: 2003-12-31 | Disagree?

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.