Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 109097 - net-misc/{wget,curl}: NTLM Username Buffer Overflow
Summary: net-misc/{wget,curl}: NTLM Username Buffer Overflow
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://article.gmane.org/gmane.comp.w...
Whiteboard: B2 [glsa]
Keywords:
: 109123 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-10-13 01:10 UTC by Thierry Carrez (RETIRED)
Modified: 2006-11-11 19:23 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
libcurl-ntlmbuf.patch (libcurl-ntlmbuf.patch,693 bytes, patch)
2005-10-13 01:14 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-10-13 01:10:35 UTC
Remote exploitation of a buffer overflow vulnerability in multiple 
vendor's implementations of curl and wget allows attackers to execute 
arbitrary code. 

The vulnerability specifically exists due to insufficent bounds 
checking on user-supplied data supplied to a memory copy operation. The 
memcpy() of the supplied ntlm username to ntlmbuf shown below results 
in a stack overflow.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-10-13 01:13:12 UTC
seemant, liquidx: this is theorically confidential but has been leaked, so we
should open this bug soon. Feel free to commit fixes to Portage directly,
referencing this bug.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-10-13 01:14:14 UTC
Created attachment 70533 [details, diff]
libcurl-ntlmbuf.patch

Patch from Daniel Stenberg (curl team)
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2005-10-13 05:35:07 UTC
*** Bug 109123 has been marked as a duplicate of this bug. ***
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-10-13 05:37:37 UTC
I guess this is completely public now :)
Comment 5 Carsten Lohrke (RETIRED) gentoo-dev 2005-10-13 05:39:27 UTC
Ouch, didn't see this bug... The stable wget version doesn't support ntlm auth,
is therefore not affected.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-10-13 08:32:01 UTC
This is CAN-2005-3185
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-10-14 09:37:12 UTC
wget is done.
curl still needs some lovin'
vapier, solar, dragonheart: got time for some security patching ?
Comment 8 Daniel Black (RETIRED) gentoo-dev 2005-10-15 03:36:25 UTC
k- I'm working on it. Seems to have some pecular backards compatibility cruft 
that needs cleaning. When I commit it I wouldn't mind someone having a review. 
Comment 9 Daniel Black (RETIRED) gentoo-dev 2005-10-15 08:06:19 UTC
Commited curl-7.15.0 currently masked   
   
I had some gcc-3.4.4 (hardened x86 and ppc) troubles - self tests 253 and 255   
failed with smashing stack attack.   
 
emerge Portage 2.0.53_rc3 (hardened/x86/2.6, gcc-3.4.4, glibc-2.3.5-r1,   
2.6.12-gentoo-r6 i686)   
=================================================================   
System uname: 2.6.12-gentoo-r6 i686 AMD Athlon(tm) XP 1900+   
Gentoo Base System version 1.6.13   
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632)   
[disabled]   
ccache version 2.3 [disabled]   
dev-lang/python:     2.3.5-r2   
sys-apps/sandbox:    1.2.13   
sys-devel/autoconf:  2.13, 2.59-r6   
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1   
sys-devel/binutils:  2.16.1   
sys-devel/libtool:   1.5.18-r1   
virtual/os-headers:  2.6.11-r2   
ACCEPT_KEYWORDS="x86"   
AUTOCLEAN="yes"   
CBUILD="i686-pc-linux-gnu"   
CFLAGS="-march=athlon-xp -O2 -pipe"   
CHOST="i686-pc-linux-gnu"   
  
 
dan@frog /var/tmp/portage/curl-7.15.0/work/curl-7.15.0/tests $ ./runtests.pl 
253 
********* System characteristics ******** 
* curl 7.15.0 (i686-pc-linux-gnu) 
* libcurl/7.15.0 GnuTLS/1.2.4 zlib/1.1.4 libidn/0.5.15 
* Features: IDN IPv6 Largefile SSL libz 
* Host: frog 
* System: Linux frog 2.6.12-gentoo-r6 #1 Wed Jul 27 18:38:45 EST 2005 i686 AMD 
Athlon(tm) XP 1900+ AuthenticAMD GNU/Linux 
* Server SSL:     ON 
* libcurl SSL:    ON 
* libcurl debug:  OFF 
* valgrind:       OFF 
* HTTP IPv6       ON 
* FTP IPv6        ON 
* HTTP port:      8990 
* FTP port:       8992 
* FTP port 2:     8995 
* HTTPS port:     8991 
* HTTP IPv6 port: 8994 
* FTP IPv6 port:  8996 
* TFTP port:      8997 
* SSL library:    GnuTLS 
***************************************** 
test 253...[FTP IPv6 dir list with EPRT] 
sh: line 1: 31666 Aborted                 ../src/curl --output log/curl253.out 
--include -v --trace-time -g "ftp://[::1]:8996/" -P - >>log/stdout253 
2>>log/stderr253 
 
 data FAILED: 
--- log/check-expected  2005-10-16 01:03:54.000000000 +1000 
+++ log/check-generated 2005-10-16 01:03:54.000000000 +1000 
@@ -1,11 +0,0 @@ 
-total 20 
-drwxr-xr-x   8 98       98           512 Oct 22 13:06 . 
-drwxr-xr-x   8 98       98           512 Oct 22 13:06 .. 
-drwxr-xr-x   2 98       98           512 May  2  1996 .NeXT 
--r--r--r--   1 0        1             35 Jul 16  1996 README 
-lrwxrwxrwx   1 0        1              7 Dec  9  1999 bin -> usr/bin 
-dr-xr-xr-x   2 0        1            512 Oct  1  1997 dev 
-drwxrwxrwx   2 98       98           512 May 29 16:04 download.html 
-dr-xr-xr-x   2 0        1            512 Nov 30  1995 etc 
-drwxrwxrwx   2 98       1            512 Oct 30 14:33 pub 
-dr-xr-xr-x   5 0        1            512 Oct  1  1997 usr 
 
 - abort tests 
TESTDONE: 0 tests out of 1 reported OK: 0% 
TESTFAIL: These test cases failed: 253 
TESTDONE: 1 tests were considered during 3 seconds. 
dan@frog /var/tmp/portage/curl-7.15.0/work/curl-7.15.0/tests $ more log/ 
check-expected    curl.log          server.input      sockdataipv6.log  
stdout253 
check-generated   ftpd.log          sockctrlipv6.log  stderr253         
verifyftp 
dan@frog /var/tmp/portage/curl-7.15.0/work/curl-7.15.0/tests $ more 
log/stderr253 
01:03:54.593324 * About to connect() to ::1 port 8996 
01:03:54.593530 *   Trying ::1... connected 
01:03:54.595141 * Connected to ::1 (::1) port 8996 
01:03:54.595210 < 220-        _   _ ____  _ 
01:03:54.595253 < 220-    ___| | | |  _ \| | 
01:03:54.595294 < 220-   / __| | | | |_) | | 
01:03:54.595335 < 220-  | (__| |_| |  _ <| |___ 
01:03:54.595377 < 220    \___|\___/|_| \_\_____| 
01:03:54.596147 > USER anonymous 
01:03:54.596231 < 331 We are happy you popped in! 
01:03:54.596935 > PASS curl_by_daniel@haxx.se 
01:03:54.597016 < 230 Welcome you silly person 
01:03:54.597681 > PWD 
01:03:54.597761 < 257 "/nowhere/anywhere" is current directory 
01:03:54.597810 * Entry path is '/nowhere/anywhere' 
01:03:54.603018 > EPRT |2|::1|33924| 
01:03:54.603111 < 200 Thanks for dropping by. We contact you later 
01:03:54.603162 * Connect data stream actively 
01:03:54.603887 > TYPE A 
01:03:54.603969 < 200 I modify TYPE as you wanted 
01:03:54.607410 > LIST 
01:03:54.607500 < 150 here comes a directory 
01:03:54.607607 * Connection accepted from server 
lt-curl: stack smashing attack in function AllowServerConnect() 
 
 
 
 
  
Needs to be fixed before AT as some 3.4.4 gccs are stable.   
   
AT - as you see from the below you have the option of:   
add net-dns/c-ares with your keyword or use.masking ares   
   
net-misc/stunnel is used in 7 self tests that are fairly good. It isn't   
required though.   
   
  DEPEND.bad                     8   
   net-misc/curl/curl-7.15.0.ebuild: ~alpha(default-linux/alpha/2005.0)   
['net-dns/c-ares']   
   net-misc/curl/curl-7.15.0.ebuild: ~arm(default-linux/arm/2004.3)   
['net-dns/c-ares']   
   net-misc/curl/curl-7.15.0.ebuild: ~hppa(default-linux/hppa/2004.3)   
['net-dns/c-ares']   
   net-misc/curl/curl-7.15.0.ebuild: ~ia64(default-linux/ia64/2005.0)   
[ 'net-dns/c-ares']   
   net-misc/curl/curl-7.15.0.ebuild: ~mips(default-linux/mips/2004.2)   
['net-dns/c-ares']   
   net-misc/curl/curl-7.15.0.ebuild: ~ppc64(default-linux/ppc64/2005.0)   
['net-dns/c-ares']   
   net-misc/curl/curl-7.15.0.ebuild: ~s390(default-linux/s390/2004.3)   
['net-dns/c-ares']   
   net-misc/curl/curl-7.15.0.ebuild:   
~sparc(default-linux/sparc/sparc64/2005.1) ['net-dns/c-ares']   
  RDEPEND.bad                    8   
   net-misc/curl/curl-7.15.0.ebuild: ~alpha(default-linux/alpha/2005.0)   
['net-dns/c-ares']   
   net-misc/curl/curl-7.15.0.ebuild: ~arm(default-linux/arm/2004.3)   
['net-dns/c-ares']   
   net-misc/curl/curl-7.15.0.ebuild: ~hppa(default-linux/hppa/2004.3)   
['net-dns/c-ares']   
   net-misc/curl/curl-7.15.0.ebuild: ~ia64(default-linux/ia64/2005.0)   
['net-dns/c-ares']   
   net-misc/curl/curl-7.15.0.ebuild: ~mips(default-linux/mips/2004.2)   
['net-dns/c-ares']   
   net-misc/curl/curl-7.15.0.ebuild: ~ppc64(default-linux/ppc64/2005.0)   
['net-dns/c-ares']   
   net-misc/curl/curl-7.15.0.ebuild: ~s390(default-linux/s390/2004.3)   
['net-dns/c-ares']   
   net-misc/curl/curl-7.15.0.ebuild:   
~sparc(default-linux/sparc/sparc64/2005.1) ['net-dns/c-ares']   
   
 note for glsa: put revdep-rebuild fix instructions to be sure  
   
Comment 10 Daniel Black (RETIRED) gentoo-dev 2005-10-15 08:33:01 UTC
if no proper solution can be found: 
append-flags -fno-stack-protector 
works. 
Comment 11 Daniel Black (RETIRED) gentoo-dev 2005-10-15 16:04:32 UTC
Hardened peoples - any chance of a  proper fix?   
   
Fails with:   
gcc (GCC) 3.4.4 (Gentoo Hardened 3.4.4-r1, HTB-3.4.4-1.00, ssp-3.4.4-1.0,   
pie-8.7.8)   
   
Works with:   
gcc (GCC) 3.3.5  (Gentoo Linux 3.3.5-r1, ssp-3.3.2-3, pie-8.7.7.1)   
  
curl-7.15.0/lib/ftp.c -> stack smashing attack in function 
AllowServerConnect()  
  
Comment 12 Daniel Black (RETIRED) gentoo-dev 2005-10-15 19:40:31 UTC
The guts of testcase 253  
  
start dummy server  
/var/tmp/portage/curl-7.15.0/work/curl-7.15.0/tests $   
make test  
chmod ugo+x ftpserver.pl  
./ftpserver.pl --pidfile .ftp6.pid -s . --ipv6 --port 8996  
  
start curl test:  
/var/tmp/portage/curl-7.15.0/work/curl-7.15.0/tests $  env  
LD_LIBRARY_PATH=../lib/.libs/ gdb  --args ../src/.libs/curl --output  
log/curl253.out  --include -v --trace-time -g "ftp://[::1]:8996/" -P -  
  
  
For details of another failed test  
  
1. Get the server command and client command 
  
strace -fe trace=process ./runtests.pl  
 
2. 
 
Run server 
 
3. run client in gdb 
 
4. 
look in log directory:  
 
contains outputs. 
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-10-18 08:53:41 UTC
dragonheart: since it's not a regression (it was already failing in past
versions) please unmask it so that we call for arch testing...
Comment 14 Daniel Black (RETIRED) gentoo-dev 2005-10-18 11:55:35 UTC
unmasked and ready for keywording. Most self tests work except detailed above 
(these failed in previous versions). 
Comment 15 Daniel Black (RETIRED) gentoo-dev 2005-10-18 12:00:56 UTC
note: net-dns/c-ares will probably require keywording too. 
Comment 16 Jason Wever (RETIRED) gentoo-dev 2005-10-18 17:31:29 UTC
Currently the curl ebuild seems to only supports c-ares on x86 for some reason
(not sure the decision behind this).

Also are us arch monkeys just keywording some version of curl now or also some
version of wget as well?
Comment 17 Brent Baude (RETIRED) gentoo-dev 2005-10-18 19:52:16 UTC
yes if someone can cite specific versions I'd be happy to keyword for ppc64
Comment 18 Andrej Kacian (RETIRED) gentoo-dev 2005-10-18 21:43:37 UTC
both wget and curl done on x86
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2005-10-19 00:30:30 UTC
Ok, let me see...

There is no "need" to mark any wget stable, since only the ~ version (1.10.*)
was vulnerable to this. But of course you can mark 1.10.2 stable if you want to.

For curl, you need to mark stable the following :
- net-misc/curl-7.15.0
- some net-dns/c-ares version in order to solve the c-ares dep.
Comment 20 René Nussbaumer (RETIRED) gentoo-dev 2005-10-19 04:47:02 UTC
Stable on hppa (thanks to hansmi for fixing curl) and ppc (tested by hansmi).
Comment 21 Brent Baude (RETIRED) gentoo-dev 2005-10-19 07:23:12 UTC
Marked net-misc/curl-7.15.0 ppc64 stable and marked c-ares-1.2.1-r1 ~ppc64
Comment 22 Gustavo Zacarias (RETIRED) gentoo-dev 2005-10-19 10:54:22 UTC
sparc stable.
Comment 23 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-10-19 16:41:15 UTC
net-misc/curl-7.15.0 and c-ares-1.2.0 (as dep) are now marked "stable" on alpha.

Alpha Done.
Comment 24 Luis Medinas (RETIRED) gentoo-dev 2005-10-19 20:42:15 UTC
amd64 done

curl-7.15.0 and c-ares-1.2.1-r1
Comment 25 Aaron Walker (RETIRED) gentoo-dev 2005-10-22 04:12:52 UTC
curl-7.15.0 stable on mips.  I've masked the ares USE flag on mips for the time
being as I don't really feel comfortable marking it stable for mips when there
were previously no mips keywords.
Comment 26 Thierry Carrez (RETIRED) gentoo-dev 2005-10-22 06:34:56 UTC
GLSA 200510-19
arm, ia64 and s390 should mark stable to benefit from GLSA
ppc-macos should mark ~
Comment 27 Fabian Groffen gentoo-dev 2005-10-22 07:04:36 UTC
marked curl-7.15.0 and c-ares-1.3.0 ~ppc-macos