>
> Multiple Vendor wget/curl NTLM Username Buffer Overflow Vulnerability
>
> iDEFENSE Security Advisory 10.13.05
> www.idefense.com/application/poi/display?id=322&type=vulnerabilities
> October 13, 2005
>
> I. BACKGROUND
>
> GNU Wget is a free software package for retrieving files using HTTP,
> HTTPS and FTP, the most widely-used Internet protocols. It is a
> non-interactive commandline tool, so it may easily be called from
> scripts, cron jobs, terminals without X-Windows support, etc. More
> information on Wget is available from the vendor website:
>
>
>
> curl is a command line tool for transferring files with URL syntax,
> supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE
> and LDAP.
> Curl supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading,
> HTTP form based upload, proxies, cookies, user+password authentication
> (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume,
> proxy tunneling and a busload of other useful tricks. More information
> on curl is available from the vendor website:
>
>
>
> II. DESCRIPTION
>
> Remote exploitation of a buffer overflow vulnerability in multiple
> vendor's implementations of curl and wget allows attackers to execute
> arbitrary code.
>
> The vulnerability specifically exists due to insufficient bounds
> checking on user-supplied data supplied to a memory copy
> operation. The
> memcpy() of the supplied ntlm username to ntlmbuf shown below results
> in a stack overflow:
>
> http-ntlm.c in ntlm_output() on line 532:
>
> /* size is now 64 */
> size=64;
> ntlmbuf[62]=ntlmbuf[63]=0;
>
> memcpy(&ntlmbuf[size], domain, domlen);
> size += domlen;
>
> memcpy(&ntlmbuf[size], usr, userlen);
> size += userlen;
>
> The resulting stack overflow can be leveraged to gain arbitrary code
> execution with user privileges.
>
> III. ANALYSIS
>
> Successful exploitation of the vulnerability allows remote
> attackers to
> execute arbitrary code with permissions of the http client process.
> User interaction is required. Exploitation requires a user to use one
> of the affected clients to connect to a malicious website.
>
> This vulnerability affects both wget and curl clients
> similarly because
> wget 1.10 adopted the curl ntlm authentication source code
> into its own
> code base. The described vulnerability requires that ntlm
> authentication
>
> is enabled in the affected client versions. A factor that somewhat
> increases the risk of this vulnerability is that a client can
> be forced
> to reconnect using ntlm authentication by issuing a HTTP 302 REDIRECT
> command to the connecting client.
>
> IV. DETECTION
>
> iDEFENSE Labs has confirmed the following software versions are
> vulnerable:
>
> * wget 1.10
> * curl 7.13.2
> * libcurl 7.13.2
>
> V. WORKAROUND
>
> As a workaround solution, disable NTLM support in wget and curl
> installations.
>
> VI. VENDOR RESPONSE
>
> wget 1.10.2 has been released to address this issue and is
> available for
> download at:
>
>
>
> curl has released the following patch to address this issue:
>
>
>
> curl has also released the following security advisory:
>
>
>
> Additionally, the maintainers of curl-web have provided the following
> details on affected versions:
>
> Affected versions: curl and libcurl 7.10.6 to and including 7.14.1
>
> Not affected versions: curl and libcurl 7.10.5 and earlier,
> 7.15.0 and later
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CAN-2005-3185 to this issue. This is a candidate for inclusion in
> the CVE list (), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 10/12/2005 Initial vendor notification
> 10/12/2005 Initial vendor response
> 10/13/2005 Coordinated public disclosure
>
> IX. CREDIT
>
> The discoverer of this vulnerability wishes to remain anonymous.
>
> Get paid for vulnerability research
>
>
> Free tools, research and upcoming events
>
>
> X. LEGAL NOTICES
>
> Copyright (c) 2005 iDEFENSE, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDEFENSE. If you wish to reprint the whole or any
> part of this alert in any other medium other than
> electronically, please
> email customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available
> information. Use
> of the information constitutes acceptance for use in an AS IS
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any
> direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
>
>
