diff options
| author | Matthias Andree <matthias.andree@gmx.de> | 2012-08-14 20:47:22 +0200 |
|---|---|---|
| committer | Matthias Andree <matthias.andree@gmx.de> | 2012-08-14 20:56:47 +0200 |
| commit | c189f6a54f36f5b6f7734303db3cfc52311aab5f (patch) | |
| tree | d477669cc743ee2186ee368005236fd272ac03a5 /fetchmail-SA-2012-02.txt | |
| parent | 4bb8724c875163a426d7da7044b08582600367d1 (diff) | |
| download | fetchmail-c189f6a54f36f5b6f7734303db3cfc52311aab5f.tar.gz fetchmail-c189f6a54f36f5b6f7734303db3cfc52311aab5f.tar.bz2 fetchmail-c189f6a54f36f5b6f7734303db3cfc52311aab5f.zip | |
Validate NTLM challenge fields.
This is to avoid reading from bad locations, and possibly conveying
confidential data. Credit to Nico Golde.
Diffstat (limited to 'fetchmail-SA-2012-02.txt')
| -rw-r--r-- | fetchmail-SA-2012-02.txt | 31 |
1 files changed, 19 insertions, 12 deletions
diff --git a/fetchmail-SA-2012-02.txt b/fetchmail-SA-2012-02.txt index 584706da..fc713d22 100644 --- a/fetchmail-SA-2012-02.txt +++ b/fetchmail-SA-2012-02.txt @@ -1,15 +1,17 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 -fetchmail-SA-2012-02: DoS possible with NTLM authentication in debug mode +fetchmail-SA-2012-02: DoS/data theft possible in NTLM authentication -Topics: fetchmail denial of service in NTLM protocol phase +Topics: fetchmail denial of service/data theft in NTLM protocol phase Author: Matthias Andree Version: draft Announced: 2012-08-13 -Type: crash while reading from bad memory location -Impact: fetchmail segfaults and aborts, stalling inbound mail +Type: reading from bad memory locations +Impact: fetchmail segfaults and aborts, stalling inbound mail, + or: fetchmail conveys data from bad locations, possibly + betraying confidential data Danger: low Acknowledgment: J. Porter Clark @@ -34,6 +36,7 @@ Corrected in: 2012-08-13 Git, among others, see commit 2012-08-13 0.1 draft 2012-08-14 0.2 added CVE ID +2012-08-14 0.3 mention data theft 1. Background @@ -53,12 +56,16 @@ regular protocol ports. Fetchmail version 5.0.8 added NTLM support. This code sent the NTLM authentication request, but never checked if the received response was -NTLM protocol exchange, or a server-side error message. Instead, -fetchmail tried to decode the error message as though it were -base64-encoded protocol exchange, and could then segfault, subject to -verbosity and other circumstances, while reading data from bad memory -locations. +an NTLM challenge, or a server-side error message. Instead, fetchmail +tried to decode the error message as though it were base64-encoded +protocol exchange, and could then segfault, subject to verbosity and +other circumstances, while reading data from bad memory locations. +Also, when the "Target Name" structure in the NTLM Type 2 message (the +challenge) was carefully crafted, fetchmail might read from the wrong +memory location, and send confidential data to the server that it should +not have. It is deemed hard, although not impossible, to steal +other accounts' data. 3. Solution =========== @@ -106,7 +113,7 @@ END of fetchmail-SA-2012-02 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) -iEYEARECAAYFAlAp5g0ACgkQvmGDOQUufZXtLwCg54tPXJZAXauGxJ77oRGox49g -WUIAnizjQ4AvBSzk3Oraqv+WCS+8wiMb -=NEZ4 +iEYEARECAAYFAlAqnJ0ACgkQvmGDOQUufZURKQCgtarBW3fr0uR/ANpNma7QiAd0 +dFMAoPMNVYwTitZG/gkvwhr7QBGB59pj +=HBRo -----END PGP SIGNATURE----- |