Date: 9 Jun 2004 18:50:36 -0000 From: Thomas-Martin Seck <tmseck@netcologne.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: security-team@FreeBSD.org Subject: ports/67764: [Maintainer] [Security] www/squid: fix buffer overflow vuln in NTLM auth helper Message-ID: <20040609185036.16172.qmail@laurel.tmseck.homedns.org> Resent-Message-ID: <200406091900.i59J0hrI039945@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 67764 >Category: ports >Synopsis: [Maintainer] [Security] www/squid: fix buffer overflow vuln in NTLM auth helper >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Wed Jun 09 19:00:42 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Thomas-Martin Seck >Release: FreeBSD 4.10-STABLE i386 >Organization: a private site in Germany >Environment: FreeBSD ports repository as of June 9th, 2004. >Description: Security update (Security team CC'ed) Include a patch to fix a buffer overflow vulnerability in the NTLM auth helper. See <http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false>; for iDefense's original advisory. CVE ID CAN-2004-0541 has been assigned to this issue. Include two further vendor patches: - fix negative size in access.log for long running CONNECT requests (squid bug #941) - fix a crash that could occur when squid detected a "likely proxy abuse" (squid bug #972) added file: files/patch-helpers-ntlm_auth-SMB-libntlmssp.c Proposed vulnerability database entry: <topic>squid NTLM auth helper buffer overflow vulnerability</topic> <affects> <package> <name>squid</name> <range><lt>2.5.5_8</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Remote exploitation of a buffer overflow vulnerability in the NTLM authentication helper routine of the Squid Web Proxy Cache could allow a remote attacker to execute arbitrary code. A remote attacker can compromise a target system if the Squid Proxy is configured to use the NTLM authentication helper. The attacker can send an overly long password to overflow the buffer and execute arbitrary code.</p> </body> </description> <references> <url>http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false</url>; <cvename>CAN-2004-0541</cvename> </references> <dates> <discovery>2004-05-20</discovery> </dates> >How-To-Repeat: >Fix: Apply this patch and "CVS add" files/patch-helpers-ntlm_auth-SMB-libntlmssp.c: Index: distinfo =================================================================== --- distinfo (.../www/squid) (revision 84) +++ distinfo (.../local/squid) (revision 84) @@ -44,3 +44,7 @@ SIZE (squid2.5/squid-2.5.STABLE5-dns_localhost.patch) = 1408 MD5 (squid2.5/squid-2.5.STABLE5-msnt_auth_doc.patch) = 6031dda00c8e963e7f9ca17b369006bd SIZE (squid2.5/squid-2.5.STABLE5-msnt_auth_doc.patch) = 16644 +MD5 (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 9bc3c39ca19ae2a4922d4a0e11bb4238 +SIZE (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 2011 +MD5 (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 8b169a288a0491a760f4d04c4f5eab21 +SIZE (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 761 Index: files/patch-helpers-ntlm_auth-SMB-libntlmssp.c =================================================================== --- files/patch-helpers-ntlm_auth-SMB-libntlmssp.c (revision 0) +++ files/patch-helpers-ntlm_auth-SMB-libntlmssp.c (revision 84) @@ -0,0 +1,87 @@ +This patch fixes a buffer overflow vulnerability in the NTLM auth +helper which was reported by Stefan Esser on the 07th June 2004. +Original advisory: +<http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false>; +CVE-ID: CAN-2004-0541 +Patch obtained from: +<http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch>; +The patch was slightly modified by the me (tmseck@netcologne.de) to make +it apply cleanly to the FreeBSD port. + +Index: libntlmssp.c +=================================================================== +RCS file: /server/cvs-server/squid/squid/helpers/ntlm_auth/SMB/libntlmssp.c,v +retrieving revision 1.7 +diff -u -3 -p -u -r1.7 libntlmssp.c +--- helpers/ntlm_auth/SMB/libntlmssp.c 30 Nov 2001 09:50:28 -0000 1.7 ++++ helpers/ntlm_auth/SMB/libntlmssp.c 20 May 2004 22:31:33 -0000 +@@ -161,7 +161,10 @@ make_challenge(char *domain, char *domai + #define min(A,B) (A<B?A:B) + + int ntlm_errno; +-static char credentials[1024]; /* we can afford to waste */ ++#define MAX_USERNAME_LEN 255 ++#define MAX_DOMAIN_LEN 255 ++#define MAX_PASSWD_LEN 31 ++static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2]; /* we can afford to waste */ + + + /* Fetches the user's credentials from the challenge. +@@ -197,7 +200,7 @@ char * + ntlm_check_auth(ntlm_authenticate * auth, int auth_length) + { + int rv; +- char pass[25] /*, encrypted_pass[40] */; ++ char pass[MAX_PASSWD_LEN+1]; + char *domain = credentials; + char *user; + lstring tmp; +@@ -215,8 +218,13 @@ ntlm_check_auth(ntlm_authenticate * auth + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } ++ if (tmp.l > MAX_DOMAIN_LEN) { ++ debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } + memcpy(domain, tmp.str, tmp.l); +- user = domain + tmp.l; ++ user = domain + tmp.l + 1; + *user++ = '\0'; + + /* debug("fetching user name\n"); */ +@@ -226,20 +234,30 @@ ntlm_check_auth(ntlm_authenticate * auth + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } ++ if (tmp.l > MAX_USERNAME_LEN) { ++ debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } + memcpy(user, tmp.str, tmp.l); + *(user + tmp.l) = '\0'; + + +- /* Authenticating against the NT response doesn't seem to work... */ ++ /* Authenticating against the NT response doesn't seem to work... */ + tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse); + if (tmp.str == NULL || tmp.l == 0) { + fprintf(stderr, "No auth at all. Returning no-auth\n"); + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } +- ++ if (tmp.l > MAX_PASSWD_LEN) { ++ debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } ++ + memcpy(pass, tmp.str, tmp.l); +- pass[25] = '\0'; ++ pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0'; + + #if 1 + debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'" Index: Makefile =================================================================== --- Makefile (.../www/squid) (revision 84) +++ Makefile (.../local/squid) (revision 84) @@ -2,7 +2,7 @@ # Date created: Tue Mar 27 14:56:08 CEST 2001 # Whom: Adrian Chadd <adrian@FreeBSD.org> # -# $FreeBSD$ +# $FreeBSD: ports/www/squid/Makefile,v 1.123 2004/05/01 20:48:47 krion Exp $ # # Tunables not (yet) configurable via 'make config': # SQUID_{U,G}ID @@ -29,7 +29,7 @@ PORTNAME= squid PORTVERSION= 2.5.5 -PORTREVISION= 8 +PORTREVISION= 9 CATEGORIES= www MASTER_SITES= \ ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \ @@ -63,7 +63,9 @@ squid-2.5.STABLE5-debug_client_ip.patch \ squid-2.5.STABLE5-ftp_html_doctype.patch \ squid-2.5.STABLE5-dns_localhost.patch \ - squid-2.5.STABLE5-msnt_auth_doc.patch + squid-2.5.STABLE5-msnt_auth_doc.patch \ + squid-2.5.STABLE5-CONNECT_log_size.patch \ + squid-2.5.STABLE5-proxy_abuse.patch PATCH_DIST_STRIP= -p1 MAINTAINER= tmseck@netcologne.de >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040609185036.16172.qmail>