Home page logo
/

bugtraq logo Bugtraq mailing list archives

[DER #11] - Remotey exploitable fmt string bug in squid
From: "david evlis reign" <davidreign () hotmail com>
Date: Tue, 04 Jun 2002 02:25:18 +0000

-------------------------------------------
- DAVID EVLIS REIGN SECURITY ADVISORY #11 -
-------------------------------------------

- WHAT -
Remotely Exploitable Format string Hole

- WHO -
MSNT squid auth for NtDomains

- DETAILS ON PRODUCT -
This is an authentication module for the Squid proxy server to authenticate users on an NT domain It originates from the Samba and SMB packages by Andrew Tridgell and Richard Sharpe. This version is sourced from the Pike authentication module by William Welliver (hwellive () intersil com). Usage is simple. It accepts a username and password on standard input and will return OK if the
username/password is valid for the domain, or ERR if there was some problem.
Check syslog messages for reported problems.
Msntauth is released under the GNU General Public License and is available from
http://stellarx.tripod.com.

- DETAILS OF EXPLOIT -
In the allowuser code of MSNT there is (cough *many buffer overflows* cough) a remotely exploitable syslog() call which may under certain circumstances lead to remote compromisation
of the box running it (windows [1398|me|2000|xp].[1]).

code portions taken from the exploitable bit of code...

sscanf(ConnectingUser, " %s ", CUBuf); <-- i wont ask..
 sprintf(CUBuf, " %s ", CUBuf); <-- again i wont...

 for (x = 0; x <= strlen(CUBuf); x++)
     CUBuf[x] = toupper(CUBuf[x]); <-- again....

 if (strstr(AllowedUsers, CUBuf) != NULL)
    return 1;
else /* If NULL, they are not allowed to use the proxy */
 {
    sprintf(AllowMsg, "Denied access to user '%s'.", CUBuf); <-- my god...
    syslog(LOG_USER | LOG_ERR, AllowMsg); <-- HERE WE ARE!!!!!
    return 0;
 }

as you can see, the connectinguser sends over the data which will be held in the very well bounds checked CUBuf (cough) and if they are _not_ alowed (which means if there name happens to be AAAABBBB.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x) and does not
pass then you are in trouble.

also to note, the same thing happens in denyuser code too :~.

- VENDOR NOTIFICATION -
n to the o

- QUICK HELLOS -
michael zalewiski, skyper, rfp, casper dik

- EXPLOIT -
a working exploit has been created but at the moment seeing this is packaged by _default_ with the squish caching server then everyone who uses this product could be at a potential risk, therefore in keeping withe proper practice methology it shall not be released. yet.






_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com


  By Date           By Thread  

Current thread:
  • [DER #11] - Remotey exploitable fmt string bug in squid david evlis reign (Jun 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]