what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

mod_ntlm.txt

mod_ntlm.txt
Posted Apr 21, 2003
Authored by Matthew Murphy

mod_ntlm is the Apache module for versions 1.3 and 2.0 which gives Apache the ability to authenticate users via the NTLM authentication technology that is largely specific to Microsoft IIS. The log() function contains two remotely exploitable vulnerabilities. Both a heap overflow and an incorrect call to ap_log_rerror() allow for arbitrary code execution.

tags | exploit, overflow, arbitrary, vulnerability, code execution
SHA-256 | 802cd05c619e98126a7d5192a17c55f423eeb343fb55248fd94b28417e566c3d

mod_ntlm.txt

Change Mirror Download
Product Description

mod_ntlm is an Apache module (originially designed for Apache 1.3, now
available for Apache 2.0) that provides the ability for Apache services to
authenticate users via the NTLM authentication technology that is largely
specific to Microsoft IIS.

Home page: http://www.sourceforge.net/projects/modntlm

Vulnerability Description

mod_ntlm contains a pair of remotely-exploitable vulnerabilities in its data
logging routine. The vulnerabilities occur in a default build. The
mod_ntlm "log()" function contains a pair of exploitable error conditions:

static void
log(const request_rec * r, const char *format,...)
{
va_list ap;
char *s;

if ((s = (char *) malloc(2048)) == NULL)
return;
va_start(ap, format);
vsprintf(s, format, ap);
va_end(ap);
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO | APLOG_NOTICE, r, s);
free(s);
}

The function is called with user-supplied input in various locations in the
code. The first vulnerability is a heap overflow -- if any user-supplied
input is greater than 2048 characters, memory management structures are
overwritten, and arbitrary code execution is possible. Secondly, an
incorrect call to ap_log_rerror(). The last parameter to ap_log_rerror() is
not a log line, but a format string. Due to the previous decoding
operation, it becomes possible to pass format specifiers to ap_log_rerror().
A carefully crafted format string may allow code execution.

Proof-of-Concept

Either of the following two sessions will cause httpd to exit due to a
segmentation fault:

GET / HTTP/1.0
Authorization: [Ax3000]

OR

GET / HTTP/1.0
Authorization: %n%n%n%n

Similarly, a proxy server can be exploited by using an external URL
(http://www.yahoo.com/, for instance), in place of "/", and using
Proxy-Authorization, in place of Authorization in the examples above.

Vulnerable Versions

Apache 1.3: mod_ntlm v0.4 and prior
Apache 2.0: mod_ntlmv2 v0.1

Vendor Status

The vulnerability was submitted to the vendor via SourceForge at:
http://sourceforge.net/tracker/index.php?func=detail&aid=723468&group_id=490
6&atid=104906

The vendor has not responded to the bug report as of the time of writing of
this advisory.

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close