A remote overflow exists in the Squid Internet Object Cache server. Squid fails to correctly test the length of the user-supplied LanMan Hash value in the ntlm_check_auth() function resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can execute arbitrary code on the system with the privileges the Squid process is running under. This flaw can only be exploited if Squid was compiled with the NTLM authentication helper enabled.

A patch has been released for this vulnerability available from the Squid website. Additionally, Squid can be recompiled to disable NTLM authentication.

• Security Tracker: 1010434
• Bugtraq ID: 10500
• Secunia Advisory ID: 11804 11816 11819 11831 11838 11889 13044
• ISS X-Force ID: 16360
• CVE ID: 2004-0541 (see also: NVD)
• Metasploit ID: 6791
• SCIP VulDB ID: 698
• Vendor Specific Advisory URL: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000882
  http://www.gentoo.org/security/en/glsa/glsa-200406-13.xml
  http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:059
  http://www.suse.de/de/security/2004_16_squid.html
• Other Advisory URL: http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities
• Generic Exploit URL: http://www.metasploit.com/projects/Framework/exploits.html#squid_ntlm_authenticate [ Link is 404 ]
• Vendor URL: http://www.squid-cache.org/
• Other Solution URL: http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch
• Keyword: lmhash,base64
• CIAC Advisory: o-168
• RedHat RHSA: RHSA-2004:242-06

• Anonymous - iDefense Labs VCP