Bug 1670254 (CVE-2019-3822)

Summary: CVE-2019-3822 curl: NTLMv2 type-3 header stack buffer overflow
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, andrew.slice, bodavis, csutherl, dbaker, dbhole, gzaronik, hhorak, jclere, john.j5live, jokerman, jorton, kanderso, kdudka, lgao, luhliari, mbabacek, msekleta, mturk, myarboro, omajid, paul, psampaio, rwagner, security-response-team, sthangav, trankin, twalsh, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.64.0 Doc Type: If docs needed, set a value
Doc Text:
A stack-based buffer overflow was found in the way curl handled NTLMv2 type-3 headers. When connecting to a remote malicious server which uses NTLM authentication, the flaw could cause curl to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-06 00:52:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1672905, 1674355, 1674356    
Bug Blocks: 1670258    

Description Sam Fowler 2019-01-29 04:18:42 UTC 
libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow.

The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening.

This output data can grow larger than the local buffer if very large "nt response" data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server.

Such a "large value" needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.


Bug introduced by:

https://github.com/curl/curl/commit/86724581b6c
Comment 1 Sam Fowler 2019-01-29 04:18:44 UTC 
Acknowledgments:

Name: Daniel Stenberg (the Curl project)
Upstream: Wenxiang Qian (Tencent Blade Team)
Comment 2 Sam Fowler 2019-02-06 07:49:15 UTC 
External Reference:

https://curl.haxx.se/docs/CVE-2019-3822.html


Upstream Patch:

https://github.com/curl/curl/commit/50c94842
Comment 3 Sam Fowler 2019-02-06 07:49:24 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1672905]
Comment 5 Huzaifa S. Sidhpurwala 2019-02-10 06:07:39 UTC 
Commit 86724581b6c was not backported for rhel-5/6/7 therefore these packages are not affected.
Comment 8 Huzaifa S. Sidhpurwala 2019-02-11 06:12:30 UTC 
Versions of curl package shipped with Fedora are compiled with StackGuard enabled:

On disassembling the function (using Fedora 26) noticed that the function has the usual stackguard prologue and epilogue:

(gdb) disass Curl_auth_create_ntlm_type3_message
Dump of assembler code for function Curl_auth_create_ntlm_type3_message:
   0x000000000005d820 <+0>:	push   %r15
   0x000000000005d822 <+2>:	push   %r14
   0x000000000005d824 <+4>:	mov    %rdi,%r15
   0x000000000005d827 <+7>:	push   %r13
   0x000000000005d829 <+9>:	push   %r12
   0x000000000005d82b <+11>:	mov    %rdx,%r14
   0x000000000005d82e <+14>:	push   %rbp
   0x000000000005d82f <+15>:	push   %rbx
   0x000000000005d830 <+16>:	mov    %rcx,%rbx
   0x000000000005d833 <+19>:	pxor   %xmm0,%xmm0
   0x000000000005d837 <+23>:	mov    %rsi,%rbp
   0x000000000005d83a <+26>:	sub    $0x8f8,%rsp
   0x000000000005d841 <+33>:	mov    $0x5c,%esi
   0x000000000005d846 <+38>:	mov    %fs:0x28,%rax   <- notice the stack cookie being pushed on the stack       
   0x000000000005d84f <+47>:  	mov    %rax,0x8e8(%rsp)

and later in the function (during the exit)

   0x000000000005d95c <+316>:	mov    0x8e8(%rsp),%rbx
   0x000000000005d964 <+324>:	xor    %fs:0x28,%rbx   <- stack cookie being checked
   0x000000000005d96d <+333>:	jne    0x5defb <Curl_auth_create_ntlm_type3_message+1755>

Where the jne points to:

   0x000000000005defb <+1755>:	callq  0xb718

Which uses the plt to jump to __stack_chk_fail

This really implies that the function has stackguard correctly working.

It is most likely that the overflow of ntlmbuf will change the stack-cookie and which will trigger a crash during function return and mitigate any chances of code execution.

More details about stackguard is available at: https://access.redhat.com/blogs/766093/posts/3548631
Comment 10 Huzaifa S. Sidhpurwala 2019-02-11 06:42:52 UTC 
Mitigation:

Turn off NTLM authentication.
Comment 11 Eric Christensen 2019-02-18 14:19:01 UTC 
Statement:

The versions of curl package shipped with Red Hat Enterprise Linux 5, 6, and 7 do not support NTLMv2 type-3 headers, hence they are not affected by this flaw.
Comment 14 errata-xmlrpc 2019-11-05 22:06:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3701 https://access.redhat.com/errata/RHSA-2019:3701
Comment 15 Product Security DevOps Team 2019-11-06 00:52:00 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3822