linux, säkerhet

99107 2003-04-21  19:22  /71 rader/ Matthew Murphy <mattmurphy@kc.rr.com>
Importerad: 2003-04-21  19:22  av Brevbäraren
Extern mottagare: BugTraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <4561>
Ärende: Remote Vulnerabilties in mod_ntlm
------------------------------------------------------------
Product Description

mod_ntlm is an Apache module (originially designed for Apache 1.3,
now available for Apache 2.0) that provides the ability for Apache
services to authenticate users via the NTLM authentication technology
that is largely specific to Microsoft IIS.

Home page: http://www.sourceforge.net/projects/modntlm

Vulnerability Description

mod_ntlm contains a pair of remotely-exploitable vulnerabilities in
its data logging routine.  The vulnerabilities occur in a default
build.  The mod_ntlm "log()" function contains a pair of exploitable
error conditions:

static void
log(const request_rec * r, const char *format,...)
{
    va_list ap;
    char *s;

    if ((s = (char *) malloc(2048)) == NULL)
        return;
    va_start(ap, format);
    vsprintf(s, format, ap);
    va_end(ap);
    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO | APLOG_NOTICE, r, s);
    free(s);
}

The function is called with user-supplied input in various locations
in the code.  The first vulnerability is a heap overflow -- if any
user-supplied input is greater than 2048 characters, memory
management structures are overwritten, and arbitrary code execution
is possible.  Secondly, an incorrect call to ap_log_rerror().  The
last parameter to ap_log_rerror() is not a log line, but a format
string.  Due to the previous decoding operation, it becomes possible
to pass format specifiers to ap_log_rerror().  A carefully crafted
format string may allow code execution.

Proof-of-Concept

Either of the following two sessions will cause httpd to exit due to a
segmentation fault:

GET / HTTP/1.0
Authorization: [Ax3000]

OR

GET / HTTP/1.0
Authorization: %n%n%n%n

Similarly, a proxy server can be exploited by using an external URL
(http://www.yahoo.com/, for instance), in place of "/", and using
Proxy-Authorization, in place of Authorization in the examples above.

Vulnerable Versions

Apache 1.3: mod_ntlm v0.4 and prior
Apache 2.0: mod_ntlmv2 v0.1

Vendor Status

The vulnerability was submitted to the vendor via SourceForge at:
http://sourceforge.net/tracker/index.php?func=detail&aid=723468&group_id=490
6&atid=104906

The vendor has not responded to the bug report as of the time of
writing of this advisory.
(99107) /Matthew Murphy <mattmurphy@kc.rr.com>/(Ombruten)