Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow Vulnerability iDEFENSE Security Advisory 06.08.04: *I. BACKGROUND* Squid is a fully-featured Web Proxy Cache designed to run on Unix systems and supports proxying and caching of HTTP, FTP, and other URLs, as well as SSL support, cache hierarchies, transparent caching, access control lists and many other features. More information is available at http://www.squid-cache.org. *II. DESCRIPTION* Remote exploitation of a buffer overflow vulnerability in Squid Web Proxy Cache could allow a remote attacker to execute arbitrary code. Squid Web Proxy Cache supports Basic, Digest and NTLM authentication. The vulnerability specifically exists within the NTLM authentication helper routine, ntlm_check_auth(), located in helpers/ntlm_auth/SMB/libntlmssp.c: char *ntlm_check_auth(ntlm_authenticate * auth, int auth_length) { int rv; char pass[25] /*, encrypted_pass[40] */; char *domain = credentials; ... memcpy(pass, tmp.str, tmp.l); ... The function contains a buffer overflow vulnerability due to a lack of bounds checking on the values copied to the 'pass' variable. Both the 'tmp.str' and 'tmp.l' variables used in the memcpy() call contain user-supplied data. *III. ANALYSIS* A remote attacker can compromise a target system if Squid Proxy is configured to use the NTLM authentication helper. The attacker can send an overly long password to overflow the buffer and execute arbitrary code. *IV. DETECTION* iDEFENSE has confirmed the existence of this vulnerability in Squid-Proxy 2.5.*-STABLE and 3.*-PRE when Squid-Proxy is compiled with the NTLM helper enabled. *V. WORKAROUNDS* Recompile Squid-Proxy with NTLM handlers disabled. *VI. VENDOR RESPONSE* A patch for this issue is available at: http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch *VII. CVE INFORMATION* The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0541 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. *VIII. DISCLOSURE TIMELINE* 04/27/04 Exploit acquired by iDEFENSE 05/19/04 iDEFENSE Clients notified 05/20/04 Initial vendor notification 05/20/04 Initial vendor response 06/07/04 Public Disclosure *IX. CREDIT* The discoverer wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp *X. LEGAL NOTICES* Copyright © 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.