Vulnerabilities > CVE-2004-0541 - Buffer Overflow vulnerability in Squid Proxy NTLM Authentication
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 2 |
Exploit-Db
description Squid 2.5.x, 3.x NTLM Buffer Overflow. CVE-2004-0541. Remote exploits for multiple platform id EDB-ID:9951 last seen 2016-02-01 modified 2004-06-08 published 2004-06-08 reporter skape source https://www.exploit-db.com/download/9951/ title Squid 2.5.x / 3.x - NTLM Buffer Overflow description Squid NTLM Authenticate Overflow. CVE-2004-0541. Remote exploit for linux platform id EDB-ID:16847 last seen 2016-02-02 modified 2010-04-30 published 2010-04-30 reporter metasploit source https://www.exploit-db.com/download/16847/ title Squid NTLM Authenticate Overflow
Metasploit
description | This is an exploit for Squid\'s NTLM authenticate overflow (libntlmssp.c). Due to improper bounds checking in ntlm_check_auth, it is possible to overflow the 'pass' variable on the stack with user controlled data of a user defined length. Props to iDEFENSE for the advisory. |
id | MSF:EXPLOIT/LINUX/PROXY/SQUID_NTLM_AUTHENTICATE |
last seen | 2020-03-11 |
modified | 2017-07-24 |
published | 2006-12-14 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/proxy/squid_ntlm_authenticate.rb |
title | Squid NTLM Authenticate Overflow |
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_SQUID_255_9.NASL description The following package needs to be updated: squid last seen 2016-09-26 modified 2011-10-03 plugin id 12616 published 2004-07-06 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=12616 title FreeBSD : Buffer overflow in Squid NTLM authentication helper (183) code #%NASL_MIN_LEVEL 999999 # @DEPRECATED@ # # This script has been deprecated by freebsd_pkg_6f955451ba5411d8b88c000d610a3b12.nasl. # # Disabled on 2011/10/02. # # # (C) Tenable Network Security, Inc. # # This script contains information extracted from VuXML : # # Copyright 2003-2006 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # include('compat.inc'); if ( description ) { script_id(12616); script_version("1.15"); script_bugtraq_id(10500); script_cve_id("CVE-2004-0541"); script_name(english:"FreeBSD : Buffer overflow in Squid NTLM authentication helper (183)"); script_set_attribute(attribute:'synopsis', value: 'The remote host is missing a security update'); script_set_attribute(attribute:'description', value:'The following package needs to be updated: squid'); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Squid NTLM Authenticate Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:'solution', value: 'Update the package on the remote host'); script_set_attribute(attribute: 'see_also', value: 'http://bugs.libgd.org/?do=details&task_id=70 http://bugs.libgd.org/?do=details&task_id=87 http://bugs.libgd.org/?do=details&task_id=89 http://bugs.libgd.org/?do=details&task_id=94 http://secunia.com/advisories/11804 http://www.frsirt.com/english/advisories/2007/2336 http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false http://www.libgd.org/ReleaseNote020035 http://www.mozilla.org/projects/security/known-vulnerabilities.html http://www.mozilla.org/security/announce/mfsa2005-46.html http://www.mozilla.org/security/announce/mfsa2005-47.html http://www.squid-cache.org/bugs/show_bug.cgi?id=998'); script_set_attribute(attribute:'see_also', value: 'http://www.FreeBSD.org/ports/portaudit/6f955451-ba54-11d8-b88c-000d610a3b12.html'); script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/06"); script_cvs_date("Date: 2018/08/22 16:49:14"); script_end_attributes(); script_summary(english:"Check for squid"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); family["english"] = "FreeBSD Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/FreeBSD/pkg_info"); exit(0); } # Deprecated. exit(0, "This plugin has been deprecated. Refer to plugin #36518 (freebsd_pkg_6f955451ba5411d8b88c000d610a3b12.nasl) instead."); global_var cvss_score; cvss_score=10; include('freebsd_package.inc'); pkg_test(pkg:"squid<2.5.5_9");
NASL family Fedora Local Security Checks NASL id FEDORA_2004-164.NASL description - Mon Jun 07 2004 Jay Fenlason <fenlason at redhat.com> 7:2.5.STABLE3-4.fc2 - Backport security fix for ntlm auth helper (CVE-2004-0541). - Thu Apr 08 2004 Jay Fenlason <fenlason at redhat.com> 7:2.5.STABLE5-3 - Fix the -pipe patch to have the correct name of the winbind pipe. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 13718 published 2004-07-23 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13718 title Fedora Core 2 : squid-2.5.STABLE5-4.fc2 (2004-164) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_6F955451BA5411D8B88C000D610A3B12.NASL description Remote exploitation of a buffer overflow vulnerability in the NTLM authentication helper routine of the Squid Web Proxy Cache could allow a remote attacker to execute arbitrary code. A remote attacker can compromise a target system if the Squid Proxy is configured to use the NTLM authentication helper. The attacker can send an overly long password to overflow the buffer and execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 36518 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36518 title FreeBSD : Buffer overflow in Squid NTLM authentication helper (6f955451-ba54-11d8-b88c-000d610a3b12) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-059.NASL description A vulnerability exists in squid last seen 2020-06-01 modified 2020-06-02 plugin id 14158 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14158 title Mandrake Linux Security Advisory : squid (MDKSA-2004:059) NASL family Firewalls NASL id SQUID_NTLM.NASL description The remote server is affected by a remote code execution vulnerability in the Squid Internet Object Cache server due to a failure to test the length of the user-supplied LanMan hash value in the ntlm_check_auth() function in libntlmssp.c. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause a stack-based buffer overflow, resulting in the execution of arbitrary code. Note that Squid 2.5*-STABLE and 3.*-PRE are reportedly vulnerable. last seen 2020-06-01 modified 2020-06-02 plugin id 12294 published 2004-06-30 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12294 title Squid ntlm_check_auth Function NTLM Authentication Helper Password Handling Remote Overflow NASL family Fedora Local Security Checks NASL id FEDORA_2004-163.NASL description - Mon Jun 07 2004 Jay Fenlason <fenlason at redhat.com> 7:2.5.STABLE3-2.fc1 - Backport patch for CVE-2004-0541: buffer overflow in ntlm auth helper. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 13717 published 2004-07-23 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13717 title Fedora Core 1 : squid-2.5.STABLE3-2.fc1 (2004-163) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200406-13.NASL description The remote host is affected by the vulnerability described in GLSA-200406-13 (Squid: NTLM authentication helper buffer overflow) Squid is a full-featured Web Proxy Cache designed to run on Unix systems. It supports proxying and caching of HTTP, FTP, and other URLs, as well as SSL support, cache hierarchies, transparent caching, access control lists and many other features. Impact : If Squid is configured to use NTLM authentication, an attacker could exploit this vulnerability by sending a very long password. This could lead to arbitrary code execution with the permissions of the user running Squid. Workaround : There is no known workaround at this time. All users are encouraged to upgrade to the latest available version. last seen 2020-06-01 modified 2020-06-02 plugin id 14524 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14524 title GLSA-200406-13 : Squid: NTLM authentication helper buffer overflow NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-242.NASL description An updated squid package that fixes a security vulnerability in the NTLM authentication helper is now available. Squid is a full-featured Web proxy cache. A buffer overflow was found within the NTLM authentication helper routine. If Squid is configured to use the NTLM authentication helper, a remote attacker could potentially execute arbitrary code by sending a lengthy password. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0541 to this issue. Note: The NTLM authentication helper is not enabled by default in Red Hat Enterprise Linux 3. Red Hat Enterprise Linux 2.1 is not vulnerable to this issue as it shipped with a version of Squid which did not contain the helper. Users of Squid should update to this errata package which contains a backported patch that is not vulnerable to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 12504 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12504 title RHEL 3 : squid (RHSA-2004:242) NASL family SuSE Local Security Checks NASL id SUSE_SA_2004_016.NASL description The remote host is missing the patch for the advisory SuSE-SA:2004:016 (squid). Squid is a feature-rich web-proxy with support for various web-related protocols. The NTLM authentication helper application of Squid is vulnerable to a buffer overflow that can be exploited remotely by using a long password to execute arbitrary code. NTLM authentication is enabled by default in the Squid package that is shipped by SUSE LINUX. There is no workaround known other then turning off the NTLM authentication. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command last seen 2020-06-01 modified 2020-06-02 plugin id 13832 published 2004-07-25 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13832 title SuSE-SA:2004:016: squid
Oval
accepted 2013-04-29T04:08:06.097-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651
description Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable). family unix id oval:org.mitre.oval:def:10722 status accepted submitted 2010-07-09T03:56:16-04:00 title Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable). version 26 accepted 2010-09-20T04:00:47.787-04:00 class vulnerability contributors name Jay Beale organization Bastille Linux name Jonathan Baker organization The MITRE Corporation
description Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable). family unix id oval:org.mitre.oval:def:980 status accepted submitted 2004-06-10T12:00:00.000-04:00 title NTLM Authentication BO in Squid Web Proxy Cache version 6
Packetstorm
data source | https://packetstormsecurity.com/files/download/82249/squid_ntlm_authenticate.rb.txt |
id | PACKETSTORM:82249 |
last seen | 2016-12-05 |
published | 2009-10-27 |
reporter | skape |
source | https://packetstormsecurity.com/files/82249/Squid-NTLM-Authenticate-Overflow.html |
title | Squid NTLM Authenticate Overflow |
Redhat
advisories |
| ||||
rpms |
|
References
- ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.asc
- http://fedoranews.org/updates/FEDORA--.shtml
- http://www.gentoo.org/security/en/glsa/glsa-200406-13.xml
- http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities
- http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:059
- http://www.redhat.com/support/errata/RHSA-2004-242.html
- http://www.securityfocus.com/bid/10500
- http://www.trustix.net/errata/2004/0033/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16360
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10722
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A980