A stack-based buffer overflow was found in the way curl handled NTLMv2 type-3 headers. When connecting to a remote malicious server which uses NTLM authentication, the flaw could cause curl to crash.
libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow.
The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening.
This output data can grow larger than the local buffer if very large "nt response" data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server.
Such a "large value" needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.
Bug introduced by:
Name: Daniel Stenberg (the Curl project)
Upstream: Wenxiang Qian (Tencent Blade Team)
Created curl tracking bugs for this issue:
Affects: fedora-all [bug 1672905]
Commit 86724581b6c was not backported for rhel-5/6/7 therefore these packages are not affected.
Versions of curl package shipped with Fedora are compiled with StackGuard enabled:
On disassembling the function (using Fedora 26) noticed that the function has the usual stackguard prologue and epilogue:
(gdb) disass Curl_auth_create_ntlm_type3_message
Dump of assembler code for function Curl_auth_create_ntlm_type3_message:
0x000000000005d820 <+0>: push %r15
0x000000000005d822 <+2>: push %r14
0x000000000005d824 <+4>: mov %rdi,%r15
0x000000000005d827 <+7>: push %r13
0x000000000005d829 <+9>: push %r12
0x000000000005d82b <+11>: mov %rdx,%r14
0x000000000005d82e <+14>: push %rbp
0x000000000005d82f <+15>: push %rbx
0x000000000005d830 <+16>: mov %rcx,%rbx
0x000000000005d833 <+19>: pxor %xmm0,%xmm0
0x000000000005d837 <+23>: mov %rsi,%rbp
0x000000000005d83a <+26>: sub $0x8f8,%rsp
0x000000000005d841 <+33>: mov $0x5c,%esi
0x000000000005d846 <+38>: mov %fs:0x28,%rax <- notice the stack cookie being pushed on the stack
0x000000000005d84f <+47>: mov %rax,0x8e8(%rsp)
and later in the function (during the exit)
0x000000000005d95c <+316>: mov 0x8e8(%rsp),%rbx
0x000000000005d964 <+324>: xor %fs:0x28,%rbx <- stack cookie being checked
0x000000000005d96d <+333>: jne 0x5defb <Curl_auth_create_ntlm_type3_message+1755>
Where the jne points to:
0x000000000005defb <+1755>: callq 0xb718
Which uses the plt to jump to __stack_chk_fail
This really implies that the function has stackguard correctly working.
It is most likely that the overflow of ntlmbuf will change the stack-cookie and which will trigger a crash during function return and mitigate any chances of code execution.
More details about stackguard is available at: https://access.redhat.com/blogs/766093/posts/3548631
Turn off NTLM authentication.
The versions of curl package shipped with Red Hat Enterprise Linux 5, 6, and 7 do not support NTLMv2 type-3 headers, hence they are not affected by this flaw.