SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Evolution Vendors:   Gnome Development Team
Evolution Camel NTLM SASL Processing Bug Lets Remote Users Obtain Potentially Sensitive Information
SecurityTracker Alert ID:  1021845
SecurityTracker URL:  http://securitytracker.com/id/1021845
CVE Reference:   CVE-2009-0582   (Links to External Site)
Date:  Mar 13 2009
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.25.92 and prior versions
Description:   A vulnerability was reported in Evolution. A remote server can obtain potentially sensitive information from the target client.

A remote server can send specially crafted NTLM SASL authentication challenge packets (NTLM authentication type 2 packets) to cause the target client to return a portion of system memory.

The flaw resides in the ntlm_challenge() function in 'camel/camel-sasl-ntlm.c'.
Impact:   A remote user can obtain potentially sensitive information from system memory.
Solution:   The vendor has issued a source code fix.

The vendor's advisory is available at:

http://mail.gnome.org/archives/release-team/2009-March/msg00096.html
Vendor URL:  projects.gnome.org/evolution/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 16 2009 (Red Hat Issues Fix) Evolution Camel NTLM SASL Processing Bug Lets Remote Users Obtain Potentially Sensitive Information   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 4 and 5.
Mar 16 2009 (Red Hat Issues Fix) Evolution Camel NTLM SASL Processing Bug Lets Remote Users Obtain Potentially Sensitive Information   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 4.
Mar 16 2009 (Red Hat Issues Fix) Evolution Camel NTLM SASL Processing Bug Lets Remote Users Obtain Potentially Sensitive Information   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 3.


 Source Message Contents
Date:  Fri, 13 Mar 2009 08:05:57 -0500
Subject:  http://mail.gnome.org/archives/release-team/2009-March/msg00096.html


This is for CVE-2009-0582.  I'm hereby making it public.

Camel's NTLM SASL authentication mechanism does not properly validate
server's challenge packets (NTLM authentication type 2 packets, [1]).
In the ntlm_challenge() in camel/camel-sasl-ntlm.c, length of the domain
string that was copied from type 2 to type 3 packet (client's reply to
server's challenge) was not properly validated against the rest of the
data received from the server.

127     ntlm_set_string (ret, NTLM_RESPONSE_DOMAIN_OFFSET,
128              token->data + NTLM_CHALLENGE_DOMAIN_OFFSET,
129              atoi (token->data + NTLM_CHALLENGE_DOMAIN_LEN_OFFSET));

Server could specify larger length than the actual data sent in the
packet, causing the client to disclose portion of its memory, or crash.

Note: length value was not properly extracted from the packet too, as it
is not passed as string, rather as 16-bit LE value.

Red Hat security verified the patch for this and it was sent to other
vendors on March 4.  I would like to get this committed before 2.26.0
releases.

[1] http://curl.haxx.se/rfc/ntlm.html#theType2Message


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC