CVE-2004-0832
CVSS5.0
发布时间 :2004-11-03 00:00:00
修订时间 :2010-08-21 00:21:21
NMCOS    

[原文]The (1) ntlm_fetch_string and (2) ntlm_get_string functions in Squid 2.5.6 and earlier, with NTLM authentication enabled, allow remote attackers to cause a denial of service (application crash) via an NTLMSSP packet that causes a negative value to be passed to memcpy.


[CNNVD]Squid Proxy NTLM验证远程拒绝服务漏洞(CNNVD-200411-006)

        
        Squid是一个高效的Web缓存及代理程序,Squid最初是为Unix平台开发的,现在也被移植到Linux和大多数的Unix类系统中,最新的Squid可以运行在Windows平台下。
        Squid代理ntlm_fetch_string()和ntlm_get_string()函数缺少正确的参数检查,远程攻击者可以利用这个漏洞对服务进行拒绝服务攻击。
        问题存在于"lib/ntlmauth.c"文件中的"ntlm_fetch_string" 函数中,其中安全的缓冲区中获取字符串及其长度,返回返回到lstring结构中的"rv":
        l < 0 || l > MAX_FIELD_LENGTH || o + l > length || o == 0
        如果上述的IF检查通过,执行如下代码:
        rv.str = packet + o; <--- pointer to data
        和
        rv.l = l; <--- length of data
        不过对int32_t offset "o"没有进行完整检查是否为负值。如果o = -1000000000或者任何负值,在"ntlm_check_auth"中后续的memcpy操作就会导致内存破坏。而造成产生拒绝服务。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10489The (1) ntlm_fetch_string and (2) ntlm_get_string functions in Squid 2.5.6 and earlier, with NTLM authentication enabled, allow remote attac...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0832
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0832
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-006
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/17218
(VENDOR_ADVISORY)  XF  squid-ntlmssp-dos(17218)
http://www.trustix.org/errata/2004/0047/
(VENDOR_ADVISORY)  TRUSTIX  2004-0047
http://www.securityfocus.com/bid/11098
(VENDOR_ADVISORY)  BID  11098
http://www.gentoo.org/security/en/glsa/glsa-200409-04.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200409-04
http://www1.uk.squid-cache.org/squid/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-ntlm_fetch_string
(UNKNOWN)  CONFIRM  http://www1.uk.squid-cache.org/squid/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-ntlm_fetch_string
http://www.squid-cache.org/bugs/show_bug.cgi?id=1045
(UNKNOWN)  CONFIRM  http://www.squid-cache.org/bugs/show_bug.cgi?id=1045
http://www.mandriva.com/security/advisories?name=MDKSA-2004:093
(UNKNOWN)  MANDRAKE  MDKSA-2004:093
http://fedoranews.org/updates/FEDORA--.shtml
(UNKNOWN)  FEDORA  FLSA-2006:152809

- 漏洞信息

Squid Proxy NTLM验证远程拒绝服务漏洞
中危 输入验证
2004-11-03 00:00:00 2005-10-20 00:00:00
远程  
        
        Squid是一个高效的Web缓存及代理程序,Squid最初是为Unix平台开发的,现在也被移植到Linux和大多数的Unix类系统中,最新的Squid可以运行在Windows平台下。
        Squid代理ntlm_fetch_string()和ntlm_get_string()函数缺少正确的参数检查,远程攻击者可以利用这个漏洞对服务进行拒绝服务攻击。
        问题存在于"lib/ntlmauth.c"文件中的"ntlm_fetch_string" 函数中,其中安全的缓冲区中获取字符串及其长度,返回返回到lstring结构中的"rv":
        l < 0 || l > MAX_FIELD_LENGTH || o + l > length || o == 0
        如果上述的IF检查通过,执行如下代码:
        rv.str = packet + o; <--- pointer to data
        和
        rv.l = l; <--- length of data
        不过对int32_t offset "o"没有进行完整检查是否为负值。如果o = -1000000000或者任何负值,在"ntlm_check_auth"中后续的memcpy操作就会导致内存破坏。而造成产生拒绝服务。
        

- 公告与补丁

        厂商补丁:
        Squid
        -----
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Squid Patch squid-2.5.STABLE6-ntlm_fetch_string.patch
        
        http://www1.uk.squid-cache.org/squid/Versions/v2/2.5/bugs/squid-2.5.STABLE6-ntlm_fetch_string.patch

- 漏洞信息

9551
Squid NTLM Authentication Malformed NTLMSSP Packet DoS
Denial of Service
Loss of Availability Patch / RCS
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-09-02 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Squid Proxy NTLM Authentication Denial Of Service Vulnerability
Input Validation Error 11098
Yes No
2004-09-02 12:00:00 2006-12-20 08:53:00
Marco Ortisi <marco.ortisi@flashcom.it> disclosed this vulnerability to the vendor.

- 受影响的程序版本

Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Trustix Secure Enterprise Linux 2.0
Squid Web Proxy Cache 3.0 PRE3
Squid Web Proxy Cache 3.0 PRE2
Squid Web Proxy Cache 3.0 PRE1
Squid Web Proxy Cache 2.5 .STABLE6
+ Mandriva Linux Mandrake 10.1 x86_64
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2
+ Turbolinux Appliance Server 1.0 Workgroup Edition
+ Turbolinux Appliance Server 1.0 Hosting Edition
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Turbolinux Server 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
Squid Web Proxy Cache 2.5 .STABLE5
+ Conectiva Linux 10.0
+ Conectiva Linux 9.0
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Squid Web Proxy Cache 2.5 .STABLE4
+ MandrakeSoft Corporate Server 3.0
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ OpenPKG OpenPKG 2.0
+ OpenPKG OpenPKG Current
Squid Web Proxy Cache 2.5 .STABLE3
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ OpenPKG OpenPKG 1.3
+ Red Hat Enterprise Linux AS 3
+ Red Hat Fedora Core1
+ RedHat Desktop 3.0
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux WS 3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
Squid Web Proxy Cache 2.5 .STABLE1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ S.u.S.E. Linux Personal 8.2
Squid Web Proxy Cache 2.4 .STABLE7
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux Advanced Work Station 2.1
Squid Web Proxy Cache 2.4
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
Squid Web Proxy Cache 2.3 .STABLE5
Squid Web Proxy Cache 2.1 PATCH2
Squid Web Proxy Cache 2.0 PATCH2
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
Red Hat Fedora Core2
Red Hat Fedora Core1
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
Mandriva Linux Mandrake 9.2 amd64
Mandriva Linux Mandrake 9.2
Gentoo Linux 1.4

- 漏洞讨论

Squid is reported to be susceptible to a denial of service vulnerability in its NTLM authentication module.

This vulnerability presents itself when attacker supplied input data is passed to the affected NTLM module without proper sanitization.

This vulnerability allows an attacker to crash the NTLM helper application. Squid will respawn new helper applications, but with a sustained, repeating attack, it is likely that proxy authentication depending on the NTLM helper application would fail. Failure of NTLM authentication would result in the Squid application denying access to legitimate users of the proxy.

Squid versions 2.x and 3.x are all reported to be vulnerable to this issue. A patch is available from the vendor.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Please see the referenced vendor advisories for more information and fixes.


Squid Web Proxy Cache 2.5 .STABLE6

Squid Web Proxy Cache 2.5 .STABLE4

Squid Web Proxy Cache 2.5 .STABLE1

Squid Web Proxy Cache 2.5 .STABLE3

Squid Web Proxy Cache 2.5 .STABLE5

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站