lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 21 Apr 2003 12:11:43 -0500
From: "Matthew Murphy" <mattmurphy@...rr.com>
To: "BugTraq" <bugtraq@...urityfocus.com>
Subject: Remote Vulnerabilties in mod_ntlm


Product Description

mod_ntlm is an Apache module (originially designed for Apache 1.3, now
available for Apache 2.0) that provides the ability for Apache services to
authenticate users via the NTLM authentication technology that is largely
specific to Microsoft IIS.

Home page: http://www.sourceforge.net/projects/modntlm

Vulnerability Description

mod_ntlm contains a pair of remotely-exploitable vulnerabilities in its data
logging routine.  The vulnerabilities occur in a default build.  The
mod_ntlm "log()" function contains a pair of exploitable error conditions:

static void
log(const request_rec * r, const char *format,...)
{
    va_list ap;
    char *s;

    if ((s = (char *) malloc(2048)) == NULL)
        return;
    va_start(ap, format);
    vsprintf(s, format, ap);
    va_end(ap);
    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO | APLOG_NOTICE, r, s);
    free(s);
}

The function is called with user-supplied input in various locations in the
code.  The first vulnerability is a heap overflow -- if any user-supplied
input is greater than 2048 characters, memory management structures are
overwritten, and arbitrary code execution is possible.  Secondly, an
incorrect call to ap_log_rerror().  The last parameter to ap_log_rerror() is
not a log line, but a format string.  Due to the previous decoding
operation, it becomes possible to pass format specifiers to ap_log_rerror().
A carefully crafted format string may allow code execution.

Proof-of-Concept

Either of the following two sessions will cause httpd to exit due to a
segmentation fault:

GET / HTTP/1.0
Authorization: [Ax3000]

OR

GET / HTTP/1.0
Authorization: %n%n%n%n

Similarly, a proxy server can be exploited by using an external URL
(http://www.yahoo.com/, for instance), in place of "/", and using
Proxy-Authorization, in place of Authorization in the examples above.

Vulnerable Versions

Apache 1.3: mod_ntlm v0.4 and prior
Apache 2.0: mod_ntlmv2 v0.1

Vendor Status

The vulnerability was submitted to the vendor via SourceForge at:
http://sourceforge.net/tracker/index.php?func=detail&aid=723468&group_id=490
6&atid=104906

The vendor has not responded to the bug report as of the time of writing of
this advisory.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ