CVE-2005-3185
CVSS7.5
发布时间 :2005-10-13 18:02:00
修订时间 :2011-03-07 00:00:00
NMCOPS    

[原文]Stack-based buffer overflow in the ntlm_output function in http-ntlm.c for (1) wget 1.10, (2) curl 7.13.2, and (3) libcurl 7.13.2, and other products that use libcurl, when NTLM authentication is enabled, allows remote servers to execute arbitrary code via a long NTLM username.


[CNNVD]多家厂商Wget/Curl NTLM用户名处理溢出漏洞(CNNVD-200510-079)

        GNU wget是用于使用HTTP、HTTPS和FTP协议检索文件的免费软件包;curl是使用URL语法传输文件的命令行工具。
        wget 1.10, curl 7.13.2,libcurl 7.13 'http-ntlm.c'文件中的ntlm-output 函数存在栈溢出漏洞,当NTLMS设置成启用状态时,允许攻击者通过长NTLM用户名执行任意代码。
        在进行内存拷贝操作中没有对用户提供的数据执行充分的边界检查,将用户提供的ntlm memcpy()到ntlmbuf会导致栈溢出:
         /* size is now 64 */
         size=64;
         ntlmbuf[62]=ntlmbuf[63]=0;
         memcpy(&ntlmbuf[size], domain, domlen);
         size += domlen;
         memcpy(&ntlmbuf[size], usr, userlen);
         size += userlen;
        攻击者可以利用这个栈溢出漏洞以用户权限执行任意代码。
        这个漏洞既影响wget也影响curl客户端是由于wget在其源码库中采用了curl ntlm认证源码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:curl:curl:7.13.2
cpe:/a:wget:wget:1.10
cpe:/a:libcurl:libcurl:7.13.2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9810Stack-based buffer overflow in the ntlm_output function in http-ntlm.c for (1) wget 1.10, (2) curl 7.13.2, and (3) libcurl 7.13.2, and other...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3185
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200510-079
(官方数据源) CNNVD

- 其它链接及资源

http://www.idefense.com/application/poi/display?id=322&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20051013 Multiple Vendor wget/curl NTLM Username Buffer Overflow Vulnerability
http://xforce.iss.net/xforce/xfdb/22721
(UNKNOWN)  XF  wget-curl-ntlm-username-bo(22721)
http://www.vupen.com/english/advisories/2005/2659
(VENDOR_ADVISORY)  VUPEN  ADV-2005-2659
http://www.vupen.com/english/advisories/2005/2125
(VENDOR_ADVISORY)  VUPEN  ADV-2005-2125
http://www.vupen.com/english/advisories/2005/2088
(VENDOR_ADVISORY)  VUPEN  ADV-2005-2088
http://www.ubuntulinux.org/support/documentation/usn/usn-205-1
(UNKNOWN)  UBUNTU  USN-205-1
http://www.securityfocus.com/bid/15647
(UNKNOWN)  BID  15647
http://www.securityfocus.com/bid/15102
(UNKNOWN)  BID  15102
http://www.redhat.com/support/errata/RHSA-2005-812.html
(UNKNOWN)  REDHAT  RHSA-2005:812
http://www.redhat.com/support/errata/RHSA-2005-807.html
(UNKNOWN)  REDHAT  RHSA-2005:807
http://www.redhat.com/archives/fedora-announce-list/2005-October/msg00055.html
(UNKNOWN)  FEDORA  FEDORA-2005-1000
http://www.redhat.com/archives/fedora-announce-list/2005-December/msg00020.html
(UNKNOWN)  FEDORA  FEDORA-2005-1129
http://www.osvdb.org/20011
(UNKNOWN)  OSVDB  20011
http://www.novell.com/linux/security/advisories/2005_63_wget_curl.html
(UNKNOWN)  SUSE  SUSE-SA:2005:063
http://www.mandriva.com/security/advisories?name=MDKSA-2005:182
(UNKNOWN)  MANDRIVA  MDKSA-2005:182
http://www.gentoo.org/security/en/glsa/glsa-200510-19.xml
(UNKNOWN)  GENTOO  GLSA-200510-19
http://www.debian.org/security/2005/dsa-919
(UNKNOWN)  DEBIAN  DSA-919
http://slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.519010
(UNKNOWN)  SLACKWARE  SSA:2005-310-01
http://securitytracker.com/id?1015057
(UNKNOWN)  SECTRACK  1015057
http://securitytracker.com/id?1015056
(UNKNOWN)  SECTRACK  1015056
http://securityreason.com/securityalert/82
(UNKNOWN)  SREASON  82
http://secunia.com/advisories/19193
(VENDOR_ADVISORY)  SECUNIA  19193
http://secunia.com/advisories/17965
(VENDOR_ADVISORY)  SECUNIA  17965
http://secunia.com/advisories/17813
(VENDOR_ADVISORY)  SECUNIA  17813
http://secunia.com/advisories/17485
(VENDOR_ADVISORY)  SECUNIA  17485
http://secunia.com/advisories/17403
(VENDOR_ADVISORY)  SECUNIA  17403
http://secunia.com/advisories/17400
(VENDOR_ADVISORY)  SECUNIA  17400
http://secunia.com/advisories/17320
(VENDOR_ADVISORY)  SECUNIA  17320
http://secunia.com/advisories/17297
(VENDOR_ADVISORY)  SECUNIA  17297
http://secunia.com/advisories/17247
(VENDOR_ADVISORY)  SECUNIA  17247
http://secunia.com/advisories/17228
(VENDOR_ADVISORY)  SECUNIA  17228
http://secunia.com/advisories/17208
(VENDOR_ADVISORY)  SECUNIA  17208
http://secunia.com/advisories/17203
(VENDOR_ADVISORY)  SECUNIA  17203
http://secunia.com/advisories/17193
(VENDOR_ADVISORY)  SECUNIA  17193
http://secunia.com/advisories/17192
(VENDOR_ADVISORY)  SECUNIA  17192
http://lists.trustix.org/pipermail/tsl-announce/2005-October/000354.html
(UNKNOWN)  TRUSTIX  TSLSA-2005-0059
http://docs.info.apple.com/article.html?artnum=302847
(UNKNOWN)  APPLE  APPLE-SA-2005-11-29
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.10/SCOSA-2006.10.txt
(UNKNOWN)  SCO  SCOSA-2006.10

- 漏洞信息

多家厂商Wget/Curl NTLM用户名处理溢出漏洞
高危 缓冲区溢出
2005-10-13 00:00:00 2006-06-14 00:00:00
远程  
        GNU wget是用于使用HTTP、HTTPS和FTP协议检索文件的免费软件包;curl是使用URL语法传输文件的命令行工具。
        wget 1.10, curl 7.13.2,libcurl 7.13 'http-ntlm.c'文件中的ntlm-output 函数存在栈溢出漏洞,当NTLMS设置成启用状态时,允许攻击者通过长NTLM用户名执行任意代码。
        在进行内存拷贝操作中没有对用户提供的数据执行充分的边界检查,将用户提供的ntlm memcpy()到ntlmbuf会导致栈溢出:
         /* size is now 64 */
         size=64;
         ntlmbuf[62]=ntlmbuf[63]=0;
         memcpy(&ntlmbuf[size], domain, domlen);
         size += domlen;
         memcpy(&ntlmbuf[size], usr, userlen);
         size += userlen;
        攻击者可以利用这个栈溢出漏洞以用户权限执行任意代码。
        这个漏洞既影响wget也影响curl客户端是由于wget在其源码库中采用了curl ntlm认证源码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=322

- 漏洞信息 (F42714)

es263-network.txt (PacketStormID:F42714)
2005-12-31 00:00:00
Daniel Guido,Michael Aiello  michaelaiello.com
advisory,vulnerability
CVE-2005-3185,CVE-2005-4077
[点击下载]

Electric Sheep version 2.6.3 suffers from network related vulnerabilities due to libcurl issues.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Polytechnic University ISIS Security Advisory            PUISIS10212005
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                  http://isis.poly.edu/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~ Application: Electric Sheep v2.6.3
~    Severity: Medium-High
~       Title: Multiple Network-related Vulnerabilities in Electric Sheep
~        Date: October 20, 2005
~          ID: PUISIS10212005
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Summary
========
The lack of an authentication framework for downloaded sheep mpegs, as
well as its dependence on and vulnerabilities in cURL allows an
attacker to send and display arbitrary movie files in the Electric
Sheep client and perform arbitrary local and remote code execution.

Background
==========
"Electric Sheep is a free, open source screen saver run by thousands
of people all over the world. It can be installed on any ordinary PC
or Mac. When these computers "sleep", the screen saver comes on and
the computers communicate with each other by the internet to share
the work of creating morphing abstract animations known as "sheep."
http://electricsheep.org/

Description
===========
By spoofing the DNS entry for sheepserver.net or otherwise redirecting
the Electric Sheep client to a malicious sheep server, it is possible
to force the Electric Sheep client to download and display arbitrary
mpegs due to a lack of authentication of the sheep server and sheep
mpegs. At minimum, a rogue sheep server would need to respond to the
Electric Sheep client with list.gz, a list of sheep available for
download, and the referenced mpegs. To properly display the mpegs, they
need to contain special footer information which can be found at the
bottom of any pre-existing Electric Sheep mpegs.

Electric sheep uses cURL internally for interaction with the Electric
Sheep server. Two recent vulnerabilities in cURL can be exploited
through malicious interaction with the Electric Sheep client.

As in the previous vulnerability, spoofing the DNS entry of
sheepserver.net or otherwise redirecting the Electric Sheep client
to a malicious sheep server and replacing it with an appropriate HTTP
30x response can allow remote code execution through cURL due to an
NTLM buffer overflow vulnerability [1,2].

Calling the Electric Sheep client by command line, configuration file,
or otherwise with a malicious sheep server URL allows local code
execution through cURL due to a URL buffer overflow vulnerability.
In addition, by redirecting the Electric Sheep client to a rogue sheep
server and supplying a list of maliciously formatted URLs it is
possible to exploit the same cURL URL buffer overflow vulnerability
remotely. This is possible because the Electric Sheep client makes
direct system calls to the vulnerable cURL application from network
supplied input [3,4].

Impact
======
Spoofing the DNS entry for sheepserver.net or otherwise redirecting
the Electric Sheep client to a rogue sheep server, it is possible to
remotely control the video displayed or remotely execute code on all
Electric Sheep clients affected by such a redirection. Local code
execution is also possible due to a cURL vulnerability.

Workaround
==========
The vendor was notified on November 18, 2005. The vendor was extremely
responsive and cooperative in regards to these security issues. All
issues are fixed in the CVS HEAD of Electric Sheep client development
and will be included in the next release.

References
==========

  [ 1 ] libcurl NTLM Buffer Overflow Vulnerability
        http://curl.haxx.se/docs/adv_20051013.html

  [ 2 ] CVE-2005-3185
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185

  [ 3 ] libcurl URL Buffer Overflow Vulnerability
        http://curl.haxx.se/docs/adv_20051207.html

  [ 4 ] CVE-2005-4077
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4077

About
=====
The Information Systems and Internet Security (ISIS) Laboratory is an
NSF funded laboratory designed to facilitate hands-on experimentation
and project work in issues related to information security. It provides
the focus for multidisciplinary research and education in emerging
areas of security. Polytechnic University, an NSA Center of Academic
Excellence in Information Assurance Education, houses the lab.

These vulnerabilities were discovered during coursework performed for
"Penetration Testing & Vulnerability Analysis" offered at Polytechnic
University (http://www.poly.edu) during the Fall 2005 semester.

License
=======
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5

Authors
=======
Daniel Guido dguido@gmail.com
Michael Aiello http://www.michaelaiello.com/


    

- 漏洞信息 (F42016)

Apple Security Advisory 2005-11-29 (PacketStormID:F42016)
2005-12-02 00:00:00
Apple  apple.com
advisory,vulnerability
apple
CVE-2005-2088,CVE-2005-2700,CVE-2005-2757,CVE-2005-3185,CVE-2005-3700,CVE-2005-2969,CVE-2005-3701,CVE-2005-2491,CVE-2005-3702,CVE-2005-3703,CVE-2005-3705,CVE-2005-1993,CVE-2005-3704
[点击下载]

Apple Security Advisory - Apple has released a security update which addresses over a dozen vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2005-11-29 Security Update 2005-009

Security Update 2005-009 is now available and delivers the following
security enhancements:

Apache2
CVE-ID:  CVE-2005-2088
Available for:  Mac OS X Server v10.3.9, Mac OS X Server v10.4.3
Impact:  Cross-site scripting may be possible in certain
configurations
Description:  The Apache 2 web server may allow an attacker to bypass
protections using specially-crafted HTTP headers.  This behavior is
only present when Apache is used in conjunction with certain proxy
servers, caching servers, or web application firewalls.  This update
addresses the issue by incorporating Apache version 2.0.55.

apache_mod_ssl
CVE-ID:  CVE-2005-2700
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  SSL client authentication may be bypassed in certain
configurations
Description:  The Apache web server's mod_ssl module may allow an
attacker unauthorized access to a resource that is configured to
require SSL client authentication.  Only Apache configurations that
include the "SSLVerifyClient require" directive may be affected.
This update address the issue by incorporating mod_ssl 2.8.24 and
Apache version 2.0.55 (Mac OS X Server).

CoreFoundation
CVE-ID:  CVE-2005-2757
Available for:  Mac OS X v10.4.3, Mac OS X Server v10.4.3
Impact:  Resolving a maliciously-crafted URL may result in crashes or
arbitrary code execution
Description:  By carefully crafting a URL, an attacker can trigger a
heap buffer overflow in CoreFoundation which may result in a crash or
arbitrary code execution.  CoreFoundation is used by Safari and other
applications.  This update addresses the issue by performing
additional validation of URLs.  This issue does not affect systems
prior to Mac OS X v10.4.

curl
CVE-ID:  CVE-2005-3185
Available for:  Mac OS X v10.4.3, Mac OS X Server v10.4.3
Impact:  Visiting a malicious HTTP server and using NTLM
authentication may result in arbitrary code execution
Description:  Using curl with NTLM authentication enabled to download
an HTTP resource may allow an attacker to supply an overlong user or
domain name.  This may cause a stack buffer overflow and lead to
arbitrary code execution.  This update addresses the issue by
performing additional validation when using NTLM authentication.
This issue does not affect systems prior to Mac OS X v10.4.

iodbcadmintool
CVE-ID:  CVE-2005-3700
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  Local users may gain elevated privileges
Description:  The ODBC Administrator utility includes a helper tool
called iodbcadmintool that executes with raised privileges.  This
helper tool contains a vulnerability that may allow local users to
execute arbitrary commands with raised privileges.  This update
addresses the issue by providing an updated iodbcadmintool that is
not susceptible.

OpenSSL
CVE-ID:  CVE-2005-2969
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  Applications using OpenSSL may be forced to use the weaker
SSLv2 protocol
Description:  Applications that do not disable SSLv2 or that enable
certain compatibility options when using OpenSSL may be vulnerable to
a protocol downgrade attack.  Such attacks may cause an SSL
connection to use the SSLv2 protocol which provides less protection
than SSLv3 or TLS.  Further information on this issue is available at
http://www.openssl.org/news/secadv_20051011.txt.  This update
addresses the issue by incorporating OpenSSL version 0.9.7i.

passwordserver
CVE-ID:  CVE-2005-3701
Available for:  Mac OS X Server v10.3.9, Mac OS X Server v10.4.3
Impact:  Local users on Open Directory master servers may gain
elevated privileges
Description:  When creating an Open Directory master server,
credentials may be compromised.  This could lead to unprivileged
local users gaining elevated privileges on the server.  This update
addresses the issue by ensuring the credentials are protected.

Safari
CVE-ID:  CVE-2005-2491
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  Processing a regular expressions may result in arbitrary
code execution
Description:  The JavaScript engine in Safari uses a version of the
PCRE library that is vulnerable to a potentially exploitable heap
overflow.  This may lead to the execution of arbitrary code.  This
update addresses the issue by providing a new version of the
JavaScript engine that incorporates more robust input validation.

Safari
CVE-ID:  CVE-2005-3702
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  Safari may download files outside of the designated download
directory
Description:  When files are downloaded in Safari they are normally
placed in the location specified as the download directory.  However,
if a web site suggests an overlong filename for a download, it is
possible for Safari to create this file in other locations.  Although
the filename and location of the downloaded file content cannot be
directly specified by remote servers, this may still lead to
downloading content into locations accessible to other users.  This
update addresses the issue by rejecting overlong filenames.

Safari
CVE-ID:  CVE-2005-3703
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  JavaScript dialog boxes in Safari may be misleading
Description:  In Safari, JavaScript dialog boxes do not indicate the
web site that created them.  This could mislead users into
unintentionally disclosing information to a web site.  This update
addresses the issue by displaying the originating site name in
JavaScript dialog boxes.  Credit to Jakob Balle of Secunia Research
for reporting this issue.

Safari
CVE-ID:  CVE-2005-3705
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  Visiting malicious web sites with WebKit-based applications
may lead to arbitrary code execution
Description:  WebKit contains a heap overflow that may lead to the
execution of arbitrary code.  This may be triggered by content
downloaded from malicious web sites in applications that use WebKit
such as Safari.  This update addresses the issue by removing the heap
overflow from WebKit.  Credit to Neil Archibald of Suresec LTD and
Marco Mella for reporting this issue.

sudo
CVE-ID:  CVE-2005-1993
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  Local users may be able to gain elevated privileges in
certain sudo configurations
Description:  Sudo allows system administrators to grant users the
ability to run specific commands with elevated privileges.  Although
the default configuration is not vulnerable to this issue, custom
sudo configurations may not properly restrict users.  Further
information on this issue is available from:
http://www.sudo.ws/sudo/alerts/path_race.html
This update addresses the issue by incorporating sudo version
1.6.8p9.

syslog
CVE-ID:  CVE-2005-3704
Available for:  Mac OS X v10.4.3, Mac OS X Server v10.4.3
Impact:  System log entries may be forged
Description:  The system log server records syslog messages verbatim.
By supplying control characters such as the newline character, a
local attacker could forge entries with the intention to mislead the
system administrator.  This update addresses the issue by specially
handling control characters and other non-printable characters.  This
issue does not affect systems prior to Mac OS X v10.4.  Credit to
HELIOS Software GmbH for reporting this issue.

Additional Information

Also included in this update are enhancements to Safari to improve
handling of credit card security codes (Mac OS X v10.3.9 and Mac OS X
v10.4.3), CoreTypes to improve handling of Terminal files (Mac OS X
v10.4.3), QuickDraw Manager to improve rendering of PICT files (Mac
OS X v10.3.9), documentation regarding OpenSSH and PAM (Mac OS X
v10.4.3), and ServerMigration to remove unneeded privileges.

Security Update 2005-009 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.4.3
The download file is named:  "SecUpd2005-009Ti.dmg"
Its SHA-1 digest is:  544f51a7bc73a57dbca95e05693904aadb2f94b1

For Mac OS X Server v10.4.3
The download file is named:  "SecUpdSrvr2005-009Ti.dmg"
Its SHA-1 digest is:  b7620426151b8f1073c9ff73b2adf43b3086cc60

For Mac OS X v10.3.9
The download file is named:  "SecUpd2005-009Pan.dmg"
Its SHA-1 digest is:  ea17ad7852b3e6277f53c2863e51695ac7018650

For Mac OS X Server v10.3.9
The download file is named:  "SecUpdSrvr2005-009Pan.dmg"
Its SHA-1 digest is:  b03711729697ea8e6b683eb983343f2f3de3af13

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.1 (Build 2185)

iQEVAwUBQ4zotIHaV5ucd/HdAQJiPAf/S7bsLZk3R7I8FBidCKQ/bxSxjhTFx8sK
vqsVFNDsXzv+tEa3IP58D8lI8lF94o+50p59qaPWxHzl4HxPVKlH4YCiBesYmVRp
FcGo0qbzj5wJzdWADPV+I8O+/CR5k8J35PuKDIzPabnO67nxoXc/DF6go50e5Hr9
Yqs2477ufq0ANd8wG9dF5pfcYwD8KRLfOmfJ9ZVhbG8Up0uO4JH71cTQZIFcKkYf
g6N9SCnqx5JqCwsRx85a8WuY1x97K3zqP53/bt4Wzi76VaaSaYj01nVywworTik4
YzOWOckJmWU9+66iby9mKY2mzz+u/vwtiMp577yT4y9FiSg6yp7mWQ==
=jnz9
-----END PGP SIGNATURE-----
   
    

- 漏洞信息 (F40729)

iDEFENSE Security Advisory 2005-10-13.2 (PacketStormID:F40729)
2005-10-15 00:00:00
iDefense Labs  idefense.com
advisory,remote,overflow,arbitrary
CVE-2005-3185
[点击下载]

iDEFENSE Security Advisory 10.13.05-2 - Remote exploitation of a buffer overflow vulnerability in multiple vendor's implementations of curl and wget allows attackers to execute arbitrary code. The vulnerability specifically exists due to insufficient bounds checking on user-supplied data supplied to a memory copy operation. iDEFENSE Labs has confirmed the following software versions are vulnerable: wget 1.10, curl 7.13.2, libcurl 7.13.2.

Multiple Vendor wget/curl NTLM Username Buffer Overflow Vulnerability

iDEFENSE Security Advisory 10.13.05
www.idefense.com/application/poi/display?id=322&type=vulnerabilities
October 13, 2005

I. BACKGROUND

GNU Wget is a free software package for retrieving files using HTTP,
HTTPS and FTP, the most widely-used Internet protocols. It is a
non-interactive commandline tool, so it may easily be called from
scripts, cron jobs, terminals without X-Windows support, etc. More
information on Wget is available from the vendor website:

	http://www.gnu.org/software/wget/wget.html

curl is a command line tool for transferring files with URL syntax,
supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and LDAP.
Curl supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading,
HTTP form based upload, proxies, cookies, user+password authentication
(Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume,
proxy tunneling and a busload of other useful tricks. More information
on curl is available from the vendor website:

	http://curl.haxx.se/

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in multiple 
vendor's implementations of curl and wget allows attackers to execute 
arbitrary code. 

The vulnerability specifically exists due to insufficient bounds 
checking on user-supplied data supplied to a memory copy operation. The 
memcpy() of the supplied ntlm username to ntlmbuf shown below results 
in a stack overflow:

http-ntlm.c in ntlm_output() on line 532:

    /* size is now 64 */
    size=64;
    ntlmbuf[62]=ntlmbuf[63]=0;

    memcpy(&ntlmbuf[size], domain, domlen);
    size += domlen;

    memcpy(&ntlmbuf[size], usr, userlen);
    size += userlen;

The resulting stack overflow can be leveraged to gain arbitrary code 
execution with user privileges.

III. ANALYSIS

Successful exploitation of the vulnerability allows remote attackers to 
execute arbitrary code with permissions of the http client process. 
User interaction is required. Exploitation requires a user to use one 
of the affected clients to connect to a malicious website.

This vulnerability affects both wget and curl clients similarly because 
wget 1.10 adopted the curl ntlm authentication source code into its own 
code base. The described vulnerability requires that ntlm authentication

is enabled in the affected client versions. A factor that somewhat 
increases the risk of this vulnerability is that a client can be forced 
to reconnect using ntlm authentication by issuing a HTTP 302 REDIRECT 
command to the connecting client.

IV. DETECTION

iDEFENSE Labs has confirmed the following software versions are 
vulnerable:

    *   wget 1.10
    *   curl 7.13.2
    *   libcurl 7.13.2 

V. WORKAROUND

As a workaround solution, disable NTLM support in wget and curl 
installations.

VI. VENDOR RESPONSE

wget 1.10.2 has been released to address this issue and is available for
download at:

   http://ftp.gnu.org/pub/gnu/wget/

curl has released the following patch to address this issue:

   http://curl.haxx.se/libcurl-ntlmbuf.patch

curl has also released the following security advisory:

   http://curl.haxx.se/mail/lib-2005-10/0061.html
   
Additionally, the maintainers of curl-web have provided the following
details on affected versions:

Affected versions: curl and libcurl 7.10.6 to and including 7.14.1

Not affected versions: curl and libcurl 7.10.5 and earlier,
  7.15.0 and later

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-3185 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

10/12/2005  Initial vendor notification
10/12/2005  Initial vendor response
10/13/2005  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

20011
GNU wget NTLM Username ntlm_output() Function Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

A remote overflow exists in wget. The 'ntlm_output()' function fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted HTTP redirect request containing an overly long NTLM username, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-10-13 2005-10-12
Unknow Unknow

- 解决方案

Upgrade to version 1.10.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor WGet/Curl NTLM Username Buffer Overflow Vulnerability
Boundary Condition Error 15102
Yes No
2005-10-13 12:00:00 2008-05-05 05:56:00
The discoverer of this vulnerability wishes to remain anonymous; this vulnerability was disclosed in the referenced iDEFENSE advisory.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
Slackware Linux 10.2
Slackware Linux 10.1
Slackware Linux 10.0
Slackware Linux 9.1
Slackware Linux 9.0
Slackware Linux 8.1
Slackware Linux -current
SGI ProPack 3.0 SP6
SCO Open Server 6.0
SCO Open Server 5.0.7
SCO Open Server 5.0.6 a
SCO Open Server 5.0.6
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Enterprise Server 9
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
GNU wget 1.10.1
GNU wget 1.10
Gentoo net-misc/curl 7.14.1
Electric Sheep Electric Sheep 2.6.3
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
Daniel Stenberg curl 7.14.1
Daniel Stenberg curl 7.14
Daniel Stenberg curl 7.13.2
Daniel Stenberg curl 7.13.1
Daniel Stenberg curl 7.13
Daniel Stenberg curl 7.13
Daniel Stenberg curl 7.12.3
Daniel Stenberg curl 7.12.2
Daniel Stenberg curl 7.12.1
Daniel Stenberg curl 7.12
Daniel Stenberg curl 7.11.2
Daniel Stenberg curl 7.11.1
Daniel Stenberg curl 7.11
Daniel Stenberg curl 7.10.8
Daniel Stenberg curl 7.10.7
Daniel Stenberg curl 7.10.6
Daniel Stenberg curl 7.10.5
Daniel Stenberg curl 7.10.4
Daniel Stenberg curl 7.10.3
Daniel Stenberg curl 7.10.2
Daniel Stenberg curl 7.10.1
Daniel Stenberg curl 7.10
Daniel Stenberg curl 7.9.8
Daniel Stenberg curl 7.9.7
Daniel Stenberg curl 7.9.6
Daniel Stenberg curl 7.9.5
Daniel Stenberg curl 7.9.4
Daniel Stenberg curl 7.9.3
Daniel Stenberg curl 7.9.2
Daniel Stenberg curl 7.9.1
Daniel Stenberg curl 7.9
Daniel Stenberg curl 7.8.2
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
Daniel Stenberg curl 7.8.1
Daniel Stenberg curl 7.8
Daniel Stenberg curl 7.7.3
Daniel Stenberg curl 7.7.2
Daniel Stenberg curl 7.7.1
Daniel Stenberg curl 7.7
Daniel Stenberg curl 7.6.1
Daniel Stenberg curl 7.6
Daniel Stenberg curl 7.5.2
Daniel Stenberg curl 7.5.1
Daniel Stenberg curl 7.5
Daniel Stenberg curl 7.4.2
Daniel Stenberg curl 7.4.1
Daniel Stenberg curl 7.4
Daniel Stenberg curl 7.3
Daniel Stenberg curl 7.2.1
Daniel Stenberg curl 7.2
Daniel Stenberg curl 7.1.1
Daniel Stenberg curl 7.1
Daniel Stenberg curl 6.5.2
Daniel Stenberg curl 6.5.1
Daniel Stenberg curl 6.5
Daniel Stenberg curl 6.4
Daniel Stenberg curl 6.3.1
Daniel Stenberg curl 6.3
Daniel Stenberg curl 6.2
Daniel Stenberg curl 6.1 beta
Daniel Stenberg curl 6.1
Daniel Stenberg curl 6.0
Conectiva Linux 10.0
Apple Mac OS X Server 10.4.3
Apple Mac OS X Server 10.4.2
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4
Apple Mac OS X 10.4.3
Apple Mac OS X 10.4.2
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4
GNU wget 1.10.2
Gentoo net-misc/curl 7.15 .0
Daniel Stenberg curl 7.15
Daniel Stenberg curl 7.13.2

- 不受影响的程序版本

GNU wget 1.10.2
Gentoo net-misc/curl 7.15 .0
Daniel Stenberg curl 7.15
Daniel Stenberg curl 7.13.2

- 漏洞讨论

GNU wget and cURL are prone to a buffer-overflow vulnerability because the applications fail to properly bounds-check user-supplied data before using it in a memory copy operation.

An attacker can exploit this vulnerability to execute arbitrary code in the context of the user running the vulnerable application.

For an exploit to succeed, NTLM authentication must be enabled in the affected clients.

- 漏洞利用

Currently we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

An updated version of GNU wget is available.

A security advisory and a patch for cURL have been released.

Please see the referenced vendor advisories for more information.


GNU wget 1.10

GNU wget 1.10.1

Conectiva Linux 10.0

Apple Mac OS X Server 10.4

Apple Mac OS X Server 10.4.1

Apple Mac OS X 10.4.2

Apple Mac OS X Server 10.4.3

Apple Mac OS X 10.4.3

SCO Open Server 5.0.6

SCO Open Server 6.0

Daniel Stenberg curl 7.10.7

Daniel Stenberg curl 7.10.8

Daniel Stenberg curl 7.11.2

Daniel Stenberg curl 7.12.2

Daniel Stenberg curl 7.13

Daniel Stenberg curl 7.13.1

Daniel Stenberg curl 7.14

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站