[squid-users] Fwd: [DER #11] - Remotey exploitable fmt string bug in squid

Some of you have probably already seen this message.

What it says is that if you are using the msnt_auth helper to
authenticate your users to a NT domain AND make use of its denyusers
or allowusers feature then you might be at risk. If what is claimed
is true this might allow malicious users who are allowed to talk to
Squid to execute code as the cache_effective_user on the Squid
server.

To minimize the possible impact make sure msnt_auth is only called
upon requests from valid IP addresses within in your network.

As your first http_access rules have something along the lines of the
following:

# Define my networks
acl my_network src 192.168.1.0/24 192.168.2.0/24 ... (as applicable to
your network layout)
# Deny any requests not from my networks
http_access deny !my_network

Rules as the above is always recommended, no matter if you are using
the msnt_auth helper or not.

Or alternativeöy, ensure that access to Squid is firewalled from
untrusted users.

As no heads-up warning was given to the Squid team I have not had any
time to analyze this in more depth.

Regards
Henrik Nordström

---------- Forwarded Message ----------

Subject: [DER #11] - Remotey exploitable fmt string bug in squid
Date: Tue, 04 Jun 2002 02:25:18 +0000
From: "david evlis reign" <davidreign@hotmail.com>
To: bugtraq@securityfocus.com, vuln-dev@securityfocus.com,
vulnwatch@vulnwatch.org

-------------------------------------------
- DAVID EVLIS REIGN SECURITY ADVISORY #11 -
-------------------------------------------

- WHAT -
Remotely Exploitable Format string Hole

- WHO -
MSNT squid auth for NtDomains

- DETAILS ON PRODUCT -
This is an authentication module for the Squid proxy server to
 authenticate users on an NT domain
It originates from the Samba and SMB packages by Andrew Tridgell and
 Richard Sharpe. This version
is sourced from the Pike authentication module by William Welliver
(hwellive@intersil.com).
Usage is simple. It accepts a username and password on standard input
 and will return OK if the
username/password is valid for the domain, or ERR if there was some
 problem. Check syslog messages for reported problems.
Msntauth is released under the GNU General Public License and is
 available from
http://stellarx.tripod.com.

- DETAILS OF EXPLOIT -
In the allowuser code of MSNT there is (cough *many buffer overflows*
 cough) a remotely
exploitable syslog() call which may under certain circumstances lead
 to remote compromisation
of the box running it (windows [1398|me|2000|xp].[1]).

code portions taken from the exploitable bit of code...

sscanf(ConnectingUser, " %s ", CUBuf); <-- i wont ask..
  sprintf(CUBuf, " %s ", CUBuf); <-- again i wont...

  for (x = 0; x <= strlen(CUBuf); x++)
      CUBuf[x] = toupper(CUBuf[x]); <-- again....

  if (strstr(AllowedUsers, CUBuf) != NULL)
     return 1;
  else /* If NULL, they are not allowed to use the
 proxy */
  {
     sprintf(AllowMsg, "Denied access to user '%s'.", CUBuf); <-- my
 god... syslog(LOG_USER | LOG_ERR, AllowMsg); <-- HERE WE ARE!!!!!
 return 0;
  }

as you can see, the connectinguser sends over the data which will be
 held in the very
well bounds checked CUBuf (cough) and if they are _not_ alowed (which
 means if there name
happens to be
 AAAABBBB.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x) and does
 not
pass then you are in trouble.

also to note, the same thing happens in denyuser code too :~.

- VENDOR NOTIFICATION -
n to the o

- QUICK HELLOS -
michael zalewiski, skyper, rfp, casper dik

- EXPLOIT -
a working exploit has been created but at the moment seeing this is
 packaged by _default_
with the squish caching server then everyone who uses this product
 could be at a potential risk,
therefore in keeping withe proper practice methology it shall not be
released. yet.

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

-------------------------------------------------------
Received on Tue Jun 04 2002 - 16:59:47 MDT