Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow Vulnerability

iDEFENSE Security Advisory 06.08.04:

*I. BACKGROUND*

Squid is a fully-featured Web Proxy Cache designed to run on Unix
systems and supports proxying and caching of HTTP, FTP, and other URLs,
as well as SSL support, cache hierarchies, transparent caching, access
control lists and many other features. More information is available at
http://www.squid-cache.org.

*II. DESCRIPTION*

Remote exploitation of a buffer overflow vulnerability in Squid Web
Proxy Cache could allow a remote attacker to execute arbitrary code.
Squid Web Proxy Cache supports Basic, Digest and NTLM authentication.
The vulnerability specifically exists within the NTLM authentication
helper routine, ntlm_check_auth(), located in
helpers/ntlm_auth/SMB/libntlmssp.c:

char *ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
{
    int rv;
    char pass[25] /*, encrypted_pass[40] */;
    char *domain = credentials;
    ...
    memcpy(pass, tmp.str, tmp.l);
    ...

The function contains a buffer overflow vulnerability due to a lack of
bounds checking on the values copied to the 'pass' variable. Both the
'tmp.str' and 'tmp.l' variables used in the memcpy() call contain
user-supplied data.

*III. ANALYSIS*

A remote attacker can compromise a target system if Squid Proxy is
configured to use the NTLM authentication helper. The attacker can send
an overly long password to overflow the buffer and execute arbitrary
code.

*IV. DETECTION*

iDEFENSE has confirmed the existence of this vulnerability in
Squid-Proxy 2.5.*-STABLE and 3.*-PRE when Squid-Proxy is compiled with
the NTLM helper enabled.

*V. WORKAROUNDS*

Recompile Squid-Proxy with NTLM handlers disabled.

*VI. VENDOR RESPONSE*

A patch for this issue is available at:

http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch

*VII. CVE INFORMATION*

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0541 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which
standardizes names for
security problems.

*VIII. DISCLOSURE TIMELINE*

04/27/04  Exploit acquired by iDEFENSE
05/19/04  iDEFENSE Clients notified
05/20/04  Initial vendor notification
05/20/04  Initial vendor response
06/07/04  Public Disclosure

*IX. CREDIT*

The discoverer wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

*X. LEGAL NOTICES*

Copyright © 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com
for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.