[VulnWatch] Pavuk Digest Authentication Buffer Overflow

mattmurphy_at_kc.rr.com
Date: 07/28/04

  • Next message: Jack Repenning: "Re: [ GLSA 200407-20 ] Subversion: Vulnerability in mod_authz_svn" 
    To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, news@securiteam.com
Date: Tue, 27 Jul 2004 22:59:31 -0400

    Pavuk Digest Authentication Buffer Overflow Vulnerabilities

    I. Synopsis

    Pavuk is a package designed for mass document retreival. Pavuk is
    scriptable, and supports several advanced features, including several
    classes of authentication. NTLM, Basic, and Digest, are among those
    supported.

    II. Vulnerability Description

    Pavuk's digest authentication routines contain buffer overflows when
    processing a malicious Digest authentication challenge. In particular,
    buffer overflows may occur when malicious nonce or realm values are
    specified.

    By responding with an HTTP 401 (Unauthorized) status, and including a
    Digest challenge with large values in certain fields, the buffer overflow
    may occur. The issue is due to unsafe sprintf() calls within the Digest
    authentication handler.

    III. Impact

    Successful exploitation of this vulnerability allows an attacker to cause
    Pavuk to fail or potentially execute arbitrary code if he/she can cause an
    access to a web URL designed to exploit this issue. Function parameter
    overwriting allows for bypass of stack protection technologies, such as
    ProPolice and StackGuard, rendering them ineffective against exploitation
    of this vulnerability.

    In combination with certain web spider packages, this vulnerability could
    be exploited by any attacker who was able to cause a page to be indexed by
    a spider using Pavuk.

    I've produced a simple PHP exploit designed to demonstrate this
    vulnerability:

    <?php
    $buffer = "";
    for ($i = 0; $i < 1024; $i++) {
        $buffer .= "A";
    }
    header("WWW-Authenticate: Digest realm=\"Secured by Digest Auth\"
    opaque=\"opaque\" nonce=\"$buffer\"");
    header("Status: 401 Not Authorized");
    ?>

    IV. Workarounds

    Successful exploitation of this vulnerability requires that Digest
    authentication be configured. In order to protect against this
    vulnerability, disable HTTP authentication within Pavuk.

    V. Solution

    Pavuk development upstream appears to have stalled. However, Pavuk is
    present in the FreeBSD and OpenBSD ports collections, as well as being
    distributed by SuSE, Gentoo, and Debian. Release was coordinated for July
    26.

    SuSE has issued fixes, although I have been informed that SuSE does not
    plan to issue an independent advisory. I am unable to find documentation
    of updates to Debian's packages. I received no responses from FreeBSD and
    OpenBSD during the course of coordinating releases.

    VI. Disclosure Timeline

    * July 9: Vulnerability Reported to:
        - Security@gentoo.org
        - Security@suse.de
        - Security@freebsd.org
        - Security@debian.org
        - Deraadt@openbsd.org
    * July 9 (Two Hours Later): SuSE's Roman Drahtmueller responds
    * July 9: Per SuSE request, issue forwarded to vendor-sec@lst.de
    * July 19: Initial date set for release: July 27
    * July 20: SuSE requests earlier release due to recent discoveries
    * July 21: Release timeline set for July 26
    * July 22: Release timeline relayed to Gentoo, FreeBSD, OpenBSD
    * July 26: Gentoo releases GLSA-200407-19
    * July 27: Advisory released

    VII. Acknowledgements

    I'd like to thank the following people for working with me on this release:

    * SuSE's Roman Drahtmueller and Thomas Biege
    * Gentoo's Kurt Lieber and Sune Koppeson
    * Debian's Matt Zimmerman

    Also, credit is due to the Debian Security Audit Project for the initial
    audit that I reviewed.

    I'd like to thank all of those involved for their work to resolve this
    issue. The brief turnaround time (18 days), even for a vulnerability in a
    non-default configuration of a package that many (all?) of the affected
    vendors do not *install* (let alone enable) by default.

    --------------------------------------------------------------------
    mail2web - Check your email from the web at
    http://mail2web.com/ .

  • Next message: Jack Repenning: "Re: [ GLSA 200407-20 ] Subversion: Vulnerability in mod_authz_svn"

    Relevant Pages