[UNIX] Remotely Exploitable Format String Bug in Squid

From: support@securiteam.com
Date: 06/05/02

From: support@securiteam.com
To: list@securiteam.com
Date: Wed,  5 Jun 2002 09:06:57 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Remotely Exploitable Format String Bug in Squid


 <http://members.tripod.com/stellarx/software.html> Msntauth is an
authentication module for the Squid proxy server to authenticate users on
an NT domain. It originates from the Samba and SMB packages by Andrew
Tridgell and Richard Sharpe. This version is sourced from the Pike
authentication module by <mailto:hwellive@intersil.com> William Welliver.
Usage is simple. It accepts a username and password on standard input and
will return OK if the username/password is valid for the domain, or ERR if
there was some problem. A format string vulnerability in the code allows
remote attackers to cause the server to execute arbitrary code.


In the "allowuser" code of MSNT there is a remotely exploitable syslog()
call that under certain circumstances lead to remote compromising of the
box running it.

Vulnerable code:
sscanf(ConnectingUser, " %s ", CUBuf);
sprintf(CUBuf, " %s ", CUBuf);

  for (x = 0; x <= strlen(CUBuf); x++)
      CUBuf[x] = toupper(CUBuf[x]);

  if (strstr(AllowedUsers, CUBuf) != NULL)
     return 1;
  else /* If NULL, they are not allowed to use the proxy */
     sprintf(AllowMsg, "Denied access to user '%s'.", CUBuf);
     syslog(LOG_USER | LOG_ERR, AllowMsg); <-- This is the vulnerable
     return 0;

As you can see, the "ConnectingUser" sends over the data that will be held
in the very well bounds checked "CUBuf" and if they are not allowed (which
means if there name happens to be
AAAABBBB.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x) and does not
pass then the format string vulnerability will occur.


The information has been provided by <mailto:davidreign@hotmail.com>
david evlis reign.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.