Bug 1670254 (CVE-2019-3822) - CVE-2019-3822 curl: NTLMv2 type-3 header stack buffer overflow
Summary: CVE-2019-3822 curl: NTLMv2 type-3 header stack buffer overflow
Status: NEW
Alias: CVE-2019-3822
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190206,repor...
Keywords: Security
Depends On: 1674355 1674356 1672905
Blocks: 1670258
TreeView+ depends on / blocked
 
Reported: 2019-01-29 04:18 UTC by Sam Fowler
Modified: 2019-04-30 02:51 UTC (History)
29 users (show)

(edit)
A stack-based buffer overflow was found in the way curl handled NTLMv2 type-3 headers. When connecting to a remote malicious server which uses NTLM authentication, the flaw could cause curl to crash.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Sam Fowler 2019-01-29 04:18:42 UTC
libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow.

The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening.

This output data can grow larger than the local buffer if very large "nt response" data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server.

Such a "large value" needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.


Bug introduced by:

https://github.com/curl/curl/commit/86724581b6c

Comment 1 Sam Fowler 2019-01-29 04:18:44 UTC
Acknowledgments:

Name: Daniel Stenberg (the Curl project)
Upstream: Wenxiang Qian (Tencent Blade Team)

Comment 2 Sam Fowler 2019-02-06 07:49:15 UTC
External Reference:

https://curl.haxx.se/docs/CVE-2019-3822.html


Upstream Patch:

https://github.com/curl/curl/commit/50c94842

Comment 3 Sam Fowler 2019-02-06 07:49:24 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1672905]

Comment 5 Huzaifa S. Sidhpurwala 2019-02-10 06:07:39 UTC
Commit 86724581b6c was not backported for rhel-5/6/7 therefore these packages are not affected.

Comment 8 Huzaifa S. Sidhpurwala 2019-02-11 06:12:30 UTC
Versions of curl package shipped with Fedora are compiled with StackGuard enabled:

On disassembling the function (using Fedora 26) noticed that the function has the usual stackguard prologue and epilogue:

(gdb) disass Curl_auth_create_ntlm_type3_message
Dump of assembler code for function Curl_auth_create_ntlm_type3_message:
   0x000000000005d820 <+0>:	push   %r15
   0x000000000005d822 <+2>:	push   %r14
   0x000000000005d824 <+4>:	mov    %rdi,%r15
   0x000000000005d827 <+7>:	push   %r13
   0x000000000005d829 <+9>:	push   %r12
   0x000000000005d82b <+11>:	mov    %rdx,%r14
   0x000000000005d82e <+14>:	push   %rbp
   0x000000000005d82f <+15>:	push   %rbx
   0x000000000005d830 <+16>:	mov    %rcx,%rbx
   0x000000000005d833 <+19>:	pxor   %xmm0,%xmm0
   0x000000000005d837 <+23>:	mov    %rsi,%rbp
   0x000000000005d83a <+26>:	sub    $0x8f8,%rsp
   0x000000000005d841 <+33>:	mov    $0x5c,%esi
   0x000000000005d846 <+38>:	mov    %fs:0x28,%rax   <- notice the stack cookie being pushed on the stack       
   0x000000000005d84f <+47>:  	mov    %rax,0x8e8(%rsp)

and later in the function (during the exit)

   0x000000000005d95c <+316>:	mov    0x8e8(%rsp),%rbx
   0x000000000005d964 <+324>:	xor    %fs:0x28,%rbx   <- stack cookie being checked
   0x000000000005d96d <+333>:	jne    0x5defb <Curl_auth_create_ntlm_type3_message+1755>

Where the jne points to:

   0x000000000005defb <+1755>:	callq  0xb718

Which uses the plt to jump to __stack_chk_fail

This really implies that the function has stackguard correctly working.

It is most likely that the overflow of ntlmbuf will change the stack-cookie and which will trigger a crash during function return and mitigate any chances of code execution.

More details about stackguard is available at: https://access.redhat.com/blogs/766093/posts/3548631

Comment 10 Huzaifa S. Sidhpurwala 2019-02-11 06:42:52 UTC
Mitigation:

Turn off NTLM authentication.

Comment 11 Eric Christensen 2019-02-18 14:19:01 UTC
Statement:

The versions of curl package shipped with Red Hat Enterprise Linux 5, 6, and 7 do not support NTLMv2 type-3 headers, hence they are not affected by this flaw.


Note You need to log in before you can comment on or make changes to this bug.