Full Disclosure mailing list archives
iDEFENSE Security Advisory 06.08.04: Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow Vulnerability
From: idlabs-advisories () idefense com
Date: Tue, 8 Jun 2004 15:00:21 -0400
Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow Vulnerability iDEFENSE Security Advisory 06.08.04 www.idefense.com/application/poi/display?id=107&type=vulnerabilities June 8, 2004 I. BACKGROUND Squid is a fully-featured Web Proxy Cache designed to run on Unix systems and supports proxying and caching of HTTP, FTP, and other URLs, as well as SSL support, cache hierarchies, transparent caching, access control lists and many other features. More information is available at http://www.squid-cache.org. II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability in Squid Web Proxy Cache could allow a remote attacker to execute arbitrary code. Squid Web Proxy Cache supports Basic, Digest and NTLM authentication. The vulnerability specifically exists within the NTLM authentication helper routine, ntlm_check_auth(), located in helpers/ntlm_auth/SMB/libntlmssp.c: char *ntlm_check_auth(ntlm_authenticate * auth, int auth_length) { int rv; char pass[25] /*, encrypted_pass[40] */; char *domain = credentials; ... memcpy(pass, tmp.str, tmp.l); ... The function contains a buffer overflow vulnerability due to a lack of bounds checking on the values copied to the 'pass' variable. Both the 'tmp.str' and 'tmp.l' variables used in the memcpy() call contain user-supplied data. III. ANALYSIS A remote attacker can compromise a target system if Squid Proxy is configured to use the NTLM authentication helper. The attacker can send an overly long password to overflow the buffer and execute arbitrary code. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in Squid-Proxy 2.5.*-STABLE and 3.*-PRE when Squid-Proxy is compiled with the NTLM helper enabled. V. WORKAROUNDS Recompile Squid-Proxy with NTLM handlers disabled. VI. VENDOR RESPONSE A patch for this issue is available at: http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0541 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 04/27/04 Exploit acquired by iDEFENSE 05/19/04 iDEFENSE Clients notified 05/20/04 Initial vendor notification 05/20/04 Initial vendor response 06/08/04 Public Disclosure IX. CREDIT The discoverer wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice () idefense com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- iDEFENSE Security Advisory 06.08.04: Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow Vulnerability idlabs-advisories (Jun 08)