Vulnerabilities > CVE-2004-0541 - Buffer Overflow vulnerability in Squid Proxy NTLM Authentication

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
national-science-foundation
critical
nessus
exploit available
metasploit
NVD
Published: 2004-08-06
Updated: 2018-05-03

Summary

Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).

Vulnerable Configurations

Part Description Count
Application
National_Science_Foundation
2

Exploit-Db

  • descriptionSquid 2.5.x, 3.x NTLM Buffer Overflow. CVE-2004-0541. Remote exploits for multiple platform
    idEDB-ID:9951
    last seen2016-02-01
    modified2004-06-08
    published2004-06-08
    reporterskape
    sourcehttps://www.exploit-db.com/download/9951/
    titleSquid 2.5.x / 3.x - NTLM Buffer Overflow
  • descriptionSquid NTLM Authenticate Overflow. CVE-2004-0541. Remote exploit for linux platform
    idEDB-ID:16847
    last seen2016-02-02
    modified2010-04-30
    published2010-04-30
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16847/
    titleSquid NTLM Authenticate Overflow

Metasploit

descriptionThis is an exploit for Squid\'s NTLM authenticate overflow (libntlmssp.c). Due to improper bounds checking in ntlm_check_auth, it is possible to overflow the 'pass' variable on the stack with user controlled data of a user defined length. Props to iDEFENSE for the advisory.
idMSF:EXPLOIT/LINUX/PROXY/SQUID_NTLM_AUTHENTICATE
last seen2020-03-11
modified2017-07-24
published2006-12-14
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/proxy/squid_ntlm_authenticate.rb
titleSquid NTLM Authenticate Overflow

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_SQUID_255_9.NASL
    descriptionThe following package needs to be updated: squid
    last seen2016-09-26
    modified2011-10-03
    plugin id12616
    published2004-07-06
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=12616
    titleFreeBSD : Buffer overflow in Squid NTLM authentication helper (183)
    code
    #%NASL_MIN_LEVEL 999999

# @DEPRECATED@
#
# This script has been deprecated by freebsd_pkg_6f955451ba5411d8b88c000d610a3b12.nasl.
#
# Disabled on 2011/10/02.
#

#
# (C) Tenable Network Security, Inc.
#
# This script contains information extracted from VuXML :
#
# Copyright 2003-2006 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
#   copyright notice, this list of conditions and the following
#   disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
#   published online in any format, converted to PDF, PostScript,
#   RTF and other formats) must reproduce the above copyright
#   notice, this list of conditions and the following disclaimer
#   in the documentation and/or other materials provided with the
#   distribution.
#
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
#

include('compat.inc');

if ( description )
{
 script_id(12616);
 script_version("1.15");
 script_bugtraq_id(10500);
 script_cve_id("CVE-2004-0541");

 script_name(english:"FreeBSD : Buffer overflow in Squid NTLM authentication helper (183)");

script_set_attribute(attribute:'synopsis', value: 'The remote host is missing a security update');
script_set_attribute(attribute:'description', value:'The following package needs to be updated: squid');
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'Squid NTLM Authenticate Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:'solution', value: 'Update the package on the remote host');
script_set_attribute(attribute: 'see_also', value: 'http://bugs.libgd.org/?do=details&task_id=70
http://bugs.libgd.org/?do=details&task_id=87
http://bugs.libgd.org/?do=details&task_id=89
http://bugs.libgd.org/?do=details&task_id=94
http://secunia.com/advisories/11804
http://www.frsirt.com/english/advisories/2007/2336
http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false
http://www.libgd.org/ReleaseNote020035
http://www.mozilla.org/projects/security/known-vulnerabilities.html
http://www.mozilla.org/security/announce/mfsa2005-46.html
http://www.mozilla.org/security/announce/mfsa2005-47.html
http://www.squid-cache.org/bugs/show_bug.cgi?id=998');
script_set_attribute(attribute:'see_also', value: 'http://www.FreeBSD.org/ports/portaudit/6f955451-ba54-11d8-b88c-000d610a3b12.html');

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/06");
 script_cvs_date("Date: 2018/08/22 16:49:14");
 script_end_attributes();
 script_summary(english:"Check for squid");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 family["english"] = "FreeBSD Local Security Checks";
 script_family(english:family["english"]);
 script_dependencies("ssh_get_info.nasl");
 script_require_keys("Host/FreeBSD/pkg_info");
 exit(0);
}

# Deprecated.
exit(0, "This plugin has been deprecated. Refer to plugin #36518 (freebsd_pkg_6f955451ba5411d8b88c000d610a3b12.nasl) instead.");

global_var cvss_score;
cvss_score=10;
include('freebsd_package.inc');


pkg_test(pkg:"squid<2.5.5_9");
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2004-164.NASL
    description - Mon Jun 07 2004 Jay Fenlason <fenlason at redhat.com> 7:2.5.STABLE3-4.fc2 - Backport security fix for ntlm auth helper (CVE-2004-0541). - Thu Apr 08 2004 Jay Fenlason <fenlason at redhat.com> 7:2.5.STABLE5-3 - Fix the -pipe patch to have the correct name of the winbind pipe. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id13718
    published2004-07-23
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13718
    titleFedora Core 2 : squid-2.5.STABLE5-4.fc2 (2004-164)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_6F955451BA5411D8B88C000D610A3B12.NASL
    descriptionRemote exploitation of a buffer overflow vulnerability in the NTLM authentication helper routine of the Squid Web Proxy Cache could allow a remote attacker to execute arbitrary code. A remote attacker can compromise a target system if the Squid Proxy is configured to use the NTLM authentication helper. The attacker can send an overly long password to overflow the buffer and execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id36518
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/36518
    titleFreeBSD : Buffer overflow in Squid NTLM authentication helper (6f955451-ba54-11d8-b88c-000d610a3b12)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2004-059.NASL
    descriptionA vulnerability exists in squid
    last seen2020-06-01
    modified2020-06-02
    plugin id14158
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14158
    titleMandrake Linux Security Advisory : squid (MDKSA-2004:059)
  • NASL familyFirewalls
    NASL idSQUID_NTLM.NASL
    descriptionThe remote server is affected by a remote code execution vulnerability in the Squid Internet Object Cache server due to a failure to test the length of the user-supplied LanMan hash value in the ntlm_check_auth() function in libntlmssp.c. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause a stack-based buffer overflow, resulting in the execution of arbitrary code. Note that Squid 2.5*-STABLE and 3.*-PRE are reportedly vulnerable.
    last seen2020-06-01
    modified2020-06-02
    plugin id12294
    published2004-06-30
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12294
    titleSquid ntlm_check_auth Function NTLM Authentication Helper Password Handling Remote Overflow
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2004-163.NASL
    description - Mon Jun 07 2004 Jay Fenlason <fenlason at redhat.com> 7:2.5.STABLE3-2.fc1 - Backport patch for CVE-2004-0541: buffer overflow in ntlm auth helper. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id13717
    published2004-07-23
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13717
    titleFedora Core 1 : squid-2.5.STABLE3-2.fc1 (2004-163)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200406-13.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200406-13 (Squid: NTLM authentication helper buffer overflow) Squid is a full-featured Web Proxy Cache designed to run on Unix systems. It supports proxying and caching of HTTP, FTP, and other URLs, as well as SSL support, cache hierarchies, transparent caching, access control lists and many other features. Impact : If Squid is configured to use NTLM authentication, an attacker could exploit this vulnerability by sending a very long password. This could lead to arbitrary code execution with the permissions of the user running Squid. Workaround : There is no known workaround at this time. All users are encouraged to upgrade to the latest available version.
    last seen2020-06-01
    modified2020-06-02
    plugin id14524
    published2004-08-30
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14524
    titleGLSA-200406-13 : Squid: NTLM authentication helper buffer overflow
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-242.NASL
    descriptionAn updated squid package that fixes a security vulnerability in the NTLM authentication helper is now available. Squid is a full-featured Web proxy cache. A buffer overflow was found within the NTLM authentication helper routine. If Squid is configured to use the NTLM authentication helper, a remote attacker could potentially execute arbitrary code by sending a lengthy password. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0541 to this issue. Note: The NTLM authentication helper is not enabled by default in Red Hat Enterprise Linux 3. Red Hat Enterprise Linux 2.1 is not vulnerable to this issue as it shipped with a version of Squid which did not contain the helper. Users of Squid should update to this errata package which contains a backported patch that is not vulnerable to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id12504
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12504
    titleRHEL 3 : squid (RHSA-2004:242)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2004_016.NASL
    descriptionThe remote host is missing the patch for the advisory SuSE-SA:2004:016 (squid). Squid is a feature-rich web-proxy with support for various web-related protocols. The NTLM authentication helper application of Squid is vulnerable to a buffer overflow that can be exploited remotely by using a long password to execute arbitrary code. NTLM authentication is enabled by default in the Squid package that is shipped by SUSE LINUX. There is no workaround known other then turning off the NTLM authentication. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command
    last seen2020-06-01
    modified2020-06-02
    plugin id13832
    published2004-07-25
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13832
    titleSuSE-SA:2004:016: squid

Oval

  • accepted2013-04-29T04:08:06.097-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
      ovaloval:org.mitre.oval:def:11782
    • commentCentOS Linux 3.x
      ovaloval:org.mitre.oval:def:16651
    descriptionBuffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).
    familyunix
    idoval:org.mitre.oval:def:10722
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    titleBuffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).
    version26
  • accepted2010-09-20T04:00:47.787-04:00
    classvulnerability
    contributors
    • nameJay Beale
      organizationBastille Linux
    • nameJonathan Baker
      organizationThe MITRE Corporation
    descriptionBuffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).
    familyunix
    idoval:org.mitre.oval:def:980
    statusaccepted
    submitted2004-06-10T12:00:00.000-04:00
    titleNTLM Authentication BO in Squid Web Proxy Cache
    version6

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/82249/squid_ntlm_authenticate.rb.txt
idPACKETSTORM:82249
last seen2016-12-05
published2009-10-27
reporterskape
sourcehttps://packetstormsecurity.com/files/82249/Squid-NTLM-Authenticate-Overflow.html
titleSquid NTLM Authenticate Overflow

Redhat

advisories
rhsa
idRHSA-2004:242
rpms
  • squid-7:2.5.STABLE3-6.3E
  • squid-debuginfo-7:2.5.STABLE3-6.3E

References