SecurityTracker.com Archives - Squid NTLM Input Validation Error in ntlm_fetch_string() Lets Remote Users Crash the System

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Squid

Vendors: Squid-cache.org

Squid NTLM Input Validation Error in ntlm_fetch_string() Lets Remote Users Crash the System

SecurityTracker Alert ID: 1011148

SecurityTracker URL: http://securitytracker.com/id?1011148

CVE Reference: CAN-2004-0832 (Links to External Site)

OSVDB Reference: 9551 (Links to External Site)

Updated: Sep 15 2004

Original Entry Date: Sep 3 2004

Impact: Denial of service via network

Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes

Version(s): 2.5

Description: A vulnerability was reported in Squid in the processing of NTLM authentication strings. A remote user can cause denial of service conditions.

Marco Ortisi reported that Squid does not properly validate certain parameters to prevent negative values. If NTLM authentication is enabled, a remote user can send certain malformed NTLMSSP packets to cause the target service to crash.

The flaw resides in ntlmGetString() in 'squid/squid/helpers/ntlm_auth/fakeauth/fakeauth_auth.c' and in ntlm_fetch_string() in 'squid/squid/lib/ntlmauth.c'.

Impact: A remote user can cause the target service to crash.

Solution: A fix is available via CVS. Also, a patch is available at:

http://www.squid-cache.org/bugs/attachment.cgi?id=432&action=view

Vendor URL: www.squid-cache.org/bugs/show_bug.cgi?id=1045 (Links to External Site)

Cause: Boundary error, Input validation error

Underlying OS: Linux (Any), UNIX (Any)

Message History: This archive entry has one or more follow-up message(s) listed below.

Sep 15 2004	(Mandrake Issues Fix) Squid NTLM Input Validation Error in ntlm_fetch_string() Lets Remote Users Crash the System (Mandrake Linux Security Team <security@linux-mandrake.com>) Mandrake has released a fix.
Sep 30 2004	(Red Hat Issues Fix for RHEL) Squid NTLM Input Validation Error in ntlm_fetch_string() Lets Remote Users Crash the System (bugzilla@redhat.com) Red Hat has released a fix for Red Hat Enterprise Linux 3.
Oct 11 2004	(Turbolinux Issues Fix) Squid NTLM Input Validation Error in ntlm_fetch_string() Lets Remote Users Crash the System (Turbolinux <security-announce@turbolinux.co.jp>) Turbolinux has issued a fix.
Nov 3 2004	(Conectiva Issues Fix) Squid NTLM Input Validation Error in ntlm_fetch_string() Lets Remote Users Crash the System (Conectiva Updates <secure@conectiva.com.br>) Conectiva has released a fix.

Source Message Contents

Date: Fri, 3 Sep 2004 08:44:42 -0400
Subject: http://www.squid-cache.org/bugs/show_bug.cgi?id=1045

From: marco.ortisi@flashcom.it (Marco Ortisi)
Date: Aug 18, 2004
Summary: ntlm_fetch_string wrong "if" statement

Excuse me in advance for my poor english.

I think that i have found a bug in Squid (2.x and all 3.x).
"ntlm_fetch_string" in "lib/ntlmauth.c" capture a string and
its length from a security buffer and return its in a lstring
struct named "rv".

Within "if" statement we have:

l < 0 || l > MAX_FIELD_LENGTH || o + l > length || o == 0

If check pass

rv.str = packet + o; <--- pointer to data

and

rv.l = l; <--- length of data

int32_t offset "o" isn't checked for negative value. If a malformed
security buffer is triggered where o = -1000000000 or any negative
value, memcpy's in "ntlm_check_auth" (helpers/ntlm_auth/SMB/libntlmssp.c)
could fail to grab data and crash.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2004, SecurityGlobal.net LLC