Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2004-2022 and is owned by Tenable, Inc. or an Affiliate thereof.SQUID_NTLM.NASL
HistoryJun 30, 2004 - 12:00 a.m.

Squid ntlm_check_auth Function NTLM Authentication Helper Password Handling Remote Overflow

2004-06-3000:00:00
This script is Copyright (C) 2004-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
61

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.963 High

EPSS

Percentile

99.6%

JSON

The remote server is affected by a remote code execution vulnerability in the Squid Internet Object Cache server due to a failure to test the length of the user-supplied LanMan hash value in the ntlm_check_auth() function in libntlmssp.c. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause a stack-based buffer overflow, resulting in the execution of arbitrary code.

Note that Squid 2.5*-STABLE and 3.*-PRE are reportedly vulnerable.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(12294);
  script_version("1.29");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2004-0541");
  script_bugtraq_id(10500);

  script_name(english:"Squid ntlm_check_auth Function NTLM Authentication Helper Password Handling Remote Overflow");

  script_set_attribute(attribute:"synopsis", value:
"The remote service is affected by a remote code execution
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote server is affected by a remote code execution vulnerability
in the Squid Internet Object Cache server due to a failure to test the
length of the user-supplied LanMan hash value in the ntlm_check_auth()
function in libntlmssp.c. An unauthenticated, remote attacker can
exploit this, via a specially crafted request, to cause a stack-based
buffer overflow, resulting in the execution of arbitrary code.

Note that Squid 2.5*-STABLE and 3.*-PRE are reportedly vulnerable.");
  # https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=107
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7990c203");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patch or upgrade to the latest version.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2004-0541");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Squid NTLM Authenticate Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2004/06/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2004/06/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/06/30");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:squid-cache:squid");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_MIXED_ATTACK);
  script_family(english:"Firewalls");

  script_copyright(english:"This script is Copyright (C) 2004-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("find_service1.nasl", "proxy_use.nasl");
  script_require_ports("Services/http_proxy", 8080, 3128);

  exit(0);
}


# start script

# Keep the old API for that test
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http_func.inc");

port = get_service(svc:"http_proxy", default:3128, exit_on_fail:TRUE);

soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port);

# up to 25 chars won't overwrite any mem in SQUID NTLM helper auth
malhost = string("http://www.", rand() % 65536, "nessus.test/");
malreq = string("GET ", malhost, " HTTP/1.1\r\nHost: ", malhost, "\r\n");
malreq += string("Authorization: NTLM ", crap(20), "=\r\n\r\n");

send(socket:soc, data:malreq);
r = http_recv(socket:soc);
close(soc);

if (!r) audit(AUDIT_RESP_NOT, port);

if (safe_checks())
{
  if (!egrep(string:r, pattern:"^Server: [Ss]quid")) audit(AUDIT_NOT_DETECT, "Squid", port);

  if (egrep(string:r, pattern:"^Server: [Ss]quid/(2\.5\.STABLE[0-5]([^0-9]|$)|3\.0\.PRE|2\.[0-4]\.)") )
  {
    mymsg =  string("According to its version number, the remote SQUID Proxy\n");
    mymsg += string("may be affected by a remote buffer overflow in its NTLM\n");
    mymsg += string("authentication component, if enabled. Run Nessus without safe\n");
    mymsg += string("checks to actually test the overflow.\n");
    security_hole(port:port, extra:mymsg);
    exit(0);
  }
  else audit(AUDIT_LISTEN_NOT_VULN, "Squid", port);
}
else
{
  if (report_paranoia < 2)
  {
    if (!egrep(string:r, pattern:"^Server: [Ss]quid")) audit(AUDIT_NOT_DETECT, "Squid", port);
  }

  soc = open_sock_tcp(port);
  if (!soc) audit(AUDIT_SOCK_FAIL, port);

  malhost = string("http://www.", rand() % 65536, "nessus.test/");
  malreq = string("GET ", malhost, " HTTP/1.1\r\nHost: ", malhost, "\r\n");
  malreq += string("Authorization: NTLM TlRMTVNTUAABAAAAl4II4AAA", crap(data:"A", length:1024), "=\r\n\r\n");

  send(socket:soc, data:malreq);
  r = http_recv(socket:soc);
  close(soc);

  if (! r)
  {
    security_hole(port);
    exit(0);
  }
  else audit(AUDIT_LISTEN_NOT_VULN, "Squid", port);
}
VendorProductVersionCPE
squid-cachesquidcpe:/a:squid-cache:squid

Related

cve 1
freebsd 1
nessus 8
gentoo 1
openvas 4
cvelist 1
packetstorm 1
nvd 1
debiancve 1
securityvulns 1
redhat 1
ubuntucve 1
suse 1
cve
cve
CVE-2004-0541
2004-08-06 04:00:00
freebsd
freebsd
Buffer overflow in Squid NTLM authentication helper
2004-05-20 00:00:00
nessus
nessus
Fedora Core 2 : squid-2.5.STABLE5-4.fc2 (2004-164)
2004-07-23 00:00:00
SuSE-SA:2004:016: squid
2004-07-25 00:00:00
Mandrake Linux Security Advisory : squid (MDKSA-2004:059)
2004-07-31 00:00:00
gentoo
gentoo
Squid: NTLM authentication helper buffer overflow
2004-06-17 00:00:00
openvas
openvas
FreeBSD Ports: squid
2008-09-04 00:00:00
FreeBSD Ports: squid
2008-09-04 00:00:00
Gentoo Security Advisory GLSA 200406-13 (squid)
2008-09-24 00:00:00
cvelist
cvelist
CVE-2004-0541
2004-06-10 04:00:00
packetstorm
packetstorm
Squid NTLM Authenticate Overflow
2009-10-27 00:00:00
nvd
nvd
CVE-2004-0541
2004-08-06 04:00:00
debiancve
debiancve
CVE-2004-0541
2004-08-06 04:00:00
securityvulns
securityvulns
[Full-Disclosure] iDEFENSE Security Advisory 06.08.04: Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow Vulnerability
2004-06-09 00:00:00
redhat
redhat
(RHSA-2004:242) squid security update
2004-06-09 00:00:00
ubuntucve
ubuntucve
CVE-2004-0541
2004-08-06 00:00:00
suse
suse
remote system compromise in squid
2004-06-09 14:47:16

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.963 High

EPSS

Percentile

99.6%

JSON
Related for SQUID_NTLM.NASL
cve1freebsd1nessus8gentoo1openvas4cvelist1packetstorm1nvd1debiancve1securityvulns1redhat1ubuntucve1suse1