[UNIX] Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 06/10/04

  • Next message: SecuriTeam: "[NEWS] Cisco CatOS Telnet, HTTP and SSH Vulnerability"
    To: list@securiteam.com
    Date: 10 Jun 2004 11:14:21 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow
    Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.squid-cache.org> Squid is "a fully-featured Web Proxy Cache
    designed to run on UNIX systems and supports proxying and caching of HTTP,
    FTP, and other URLs, as well as SSL support, cache hierarchies,
    transparent caching, access control lists and many other features". Remote
    exploitation of a buffer overflow vulnerability in Squid Web Proxy Cache
    could allow a remote attacker to execute arbitrary code.

    DETAILS

    Vulnerable Systems:
     * Squid-Proxy 2.5.*-STABLE and 3.*-PRE when Squid-Proxy is compiled with
    the NTLM helper enabled.

    Squid Web Proxy Cache supports Basic, Digest and NTLM authentication. The
    vulnerability specifically exists within the NTLM authentication helper
    routine, ntlm_check_auth(), located in helpers/ntlm_auth/SMB/libntlmssp.c:

    char *ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
    {
        int rv;
        char pass[25] /*, encrypted_pass[40] */;
        char *domain = credentials;
        ...
        memcpy(pass, tmp.str, tmp.l);
        ...

    The function contains a buffer overflow vulnerability due to a lack of
    bounds checking on the values copied to the 'pass' variable. Both the
    'tmp.str' and 'tmp.l' variables used in the memcpy() call contain
    user-supplied data.

    Analysis:
    A remote attacker can compromise a target system if Squid Proxy is
    configured to use the NTLM authentication helper. The attacker can send an
    overly long password to overflow the buffer and execute arbitrary code.

    Workaround:
    Recompile Squid-Proxy with NTLM handlers disabled.

    Vendor response:
    A patch for this issue is available at:
     <http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch>
    http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0541>
    CAN-2004-0541

    Disclosure timeline:
    04/27/04 Exploit acquired by iDEFENSE
    05/19/04 iDEFENSE Clients notified
    05/20/04 Initial vendor notification
    05/20/04 Initial vendor response
    06/08/04 Public Disclosure

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:idlabs-advisories@idefense.com> iDEFENSE.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] Cisco CatOS Telnet, HTTP and SSH Vulnerability"

    Relevant Pages

    • [UNIX] Squid Web Proxy Cache Remote DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Squid Web Proxy Cache is a full-featured ... web proxy cache designed to run on Unix systems. ... Remote exploitation of a design error in the SNMP module of Squid Web ...
      (Securiteam)
    • [NEWS] IBM DB2 Buffer Overflow Vulnerabilities (rec2xml, generate_distfile)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... procedure suffers from a stack based buffer overflow vulnerability. ...
      (Securiteam)
    • [NT] Trend Micro SSAPI Long Path Buffer Overflow Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Trend Micro SSAPI Long Path Buffer Overflow Vulnerability ... Remote exploitation of buffer overflow vulnerability in Trend Micro Inc.'s ...
      (Securiteam)
    • [NEWS] Oracle WebLogic Apache Connector
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Apache Connector is "module for the Apache httpd server. ... Corp.'s WebLogic Server Apache Connector could allow an attacker to ... A stack based buffer overflow vulnerability exists in the Apache Connector ...
      (Securiteam)
    • [NT] Adobe PageMaker Key Strings Stack Buffer Overflow Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Adobe PageMaker Key Strings Stack Buffer Overflow Vulnerability ... Exploitation of this vulnerability could allow an attacker to execute ... VENDOR RESPONSE ...
      (Securiteam)