[DER #11] - Remotey exploitable fmt string bug in squid

From: david evlis reign (davidreignat_private)
Date: Mon Jun 03 2002 - 19:25:18 PDT

  • Next message: Ron DuFresne: "RE: wireless woes in the triangle and beyond!"

    -------------------------------------------
    - DAVID EVLIS REIGN SECURITY ADVISORY #11 -
    -------------------------------------------
    
    - WHAT -
    Remotely Exploitable Format string Hole
    
    - WHO -
    MSNT squid auth for NtDomains
    
    - DETAILS ON PRODUCT -
    This is an authentication module for the Squid proxy server to authenticate 
    users on an NT domain
    It originates from the Samba and SMB packages by Andrew Tridgell and Richard 
    Sharpe. This version
    is sourced from the Pike authentication module by William Welliver 
    (hwelliveat_private).
    Usage is simple. It accepts a username and password on standard input and 
    will return OK if the
    username/password is valid for the domain, or ERR if there was some problem.
    Check syslog messages for reported problems.
    Msntauth is released under the GNU General Public License and is available 
    from
    http://stellarx.tripod.com.
    
    - DETAILS OF EXPLOIT -
    In the allowuser code of MSNT there is (cough *many buffer overflows* cough) 
    a remotely
    exploitable syslog() call which may under certain circumstances lead to 
    remote compromisation
    of the box running it (windows [1398|me|2000|xp].[1]).
    
    code portions taken from the exploitable bit of code...
    
    sscanf(ConnectingUser, " %s ", CUBuf); <-- i wont ask..
      sprintf(CUBuf, " %s ", CUBuf); <-- again i wont...
    
      for (x = 0; x <= strlen(CUBuf); x++)
          CUBuf[x] = toupper(CUBuf[x]); <-- again....
    
      if (strstr(AllowedUsers, CUBuf) != NULL)
         return 1;
      else                    /* If NULL, they are not allowed to use the proxy 
    */
      {
         sprintf(AllowMsg, "Denied access to user '%s'.", CUBuf); <-- my god...
         syslog(LOG_USER | LOG_ERR, AllowMsg); <-- HERE WE ARE!!!!!
         return 0;
      }
    
    as you can see, the connectinguser sends over the data which will be held in 
    the very
    well bounds checked CUBuf (cough) and if they are _not_ alowed (which means 
    if there name
    happens to be AAAABBBB.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x) and 
    does not
    pass then you are in trouble.
    
    also to note, the same thing happens in denyuser code too :~.
    
    - VENDOR NOTIFICATION -
    n to the o
    
    - QUICK HELLOS -
    michael zalewiski, skyper, rfp, casper dik
    
    - EXPLOIT -
    a working exploit has been created but at the moment seeing this is packaged 
    by _default_
    with the squish caching server then everyone who uses this product could be 
    at a potential risk,
    therefore in keeping withe proper practice methology it shall not be 
    released. yet.
    
    
    
    
    
    
    _________________________________________________________________
    Chat with friends online, try MSN Messenger: http://messenger.msn.com
    



    This archive was generated by hypermail 2b30 : Tue Jun 04 2002 - 09:13:08 PDT