Welcome, Guest! Log In | Create Account

Share

NTLM auth module for Apache/Unix

Tracker: Bugs

5 Security Vulnerabilties in All Versions - ID: 723468
Last Update: Comment added ( ddouthitt )

mod_ntlm for Apache 1.3.x and mod_ntlm for Apache
2.0 both contain vulnerabilities in the code that handles
error logging when 'LOG' is defined. Before calling
ap_log_rerror, the input format string is formatted into a
fixed length buffer. If any of the user-controlled format
data exceed this length, httpd will segfault during free
(3). This is because Memory management structures
have been overwritten, and the libc is writing to
undefined addresses. By carefully exploiting this
vulnerability, an attacker could overwrite arbitrary
addresses with data of his/her choosing. A second
vulnerability exists in the call to ap_log_rerror(). The
string argument to ap_log_rerror is not a pre-formatted
buffer, but a format string. So, if any format characters
exist in the data passed to ap_log_rerror as a result of
this pre-formatting, they will be parsed by the
procedure, resulting in code execution if the string is
carefully designed. This error could also cause a
segfault in the httpd child process.

Matthew Murphy
Security Consultant
http://www.techie.hopto.org
E-mail: mattmurphy@kc.rr.com

Matthew Murphy ( mattmurphy ) - 2003-04-18 02:47

5

Open

None

Nobody/Anonymous

None

None

Public


Comment ( 1 )




Date: 2004-06-04 16:13
Sender: ddouthitt

Logged In: YES
user_id=81521

This patch will, at least, take care of two things. First, the
risky LOG section is off by default, and the buffer overflow is
fixed:

--- mod_ntlm.c Fri Jun 4 11:09:39 2004
+++ mod_ntlm.c.orig Fri Jun 4 10:58:02 2004
@@ -25,7 +25,7 @@
#define VERSION "$Name: $"

#define USE_APACHE_PROVIDED_UU_FUNCTIONS
-/* #define myLOG_ERROR -- contains security risks... */
+#define myLOG_ERROR

#ifdef myLOG_ERROR
#define DEBUG(x) ap_log_rerror(APLOG_MARK,
APLOG_NOERRNO|APLOG_ERR, r, x " %u %u", (unsigned) r-
>connection, (unsigned) getpid())
@@ -45,12 +45,10 @@
va_list ap;
char *s;

-#define MAX_SBUF 2048
-
- if ((s = (char *) malloc(MAX_SBUF)) == NULL)
+ if ((s = (char *) malloc(2048)) == NULL)
return;
va_start(ap, format);
- vsnprintf(s, MAX_SBUF - 1, format, ap);
+ vsprintf(s, format, ap);
va_end(ap);
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO |
APLOG_NOTICE, r, s);
free(s);
@@ -62,10 +60,10 @@
char *s;
FILE *f;

- if ((s = (char *) malloc(MAX_SBUF)) == NULL)
+ if ((s = (char *) malloc(2048)) == NULL)
return;
va_start(ap, format);
- vsnprintf(s, MAX_SBUF - 1, format, ap);
+ vsprintf(s, format, ap);
va_end(ap);
if ((f = fopen("/tmp/mod_ntlm.log", "a")) != NULL) {
fputs(s, f);

Log in to comment.

Attached File

No Files Currently Attached

Change

No changes have been made to this artifact.



About SourceForge

Find Software

Develop Software

Community

Help

Copyright © 2010 Geeknet, Inc. All rights reserved. Terms of Use