From c189f6a54f36f5b6f7734303db3cfc52311aab5f Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Tue, 14 Aug 2012 20:47:22 +0200 Subject: Validate NTLM challenge fields. This is to avoid reading from bad locations, and possibly conveying confidential data. Credit to Nico Golde. --- fetchmail-SA-2012-02.txt | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) (limited to 'fetchmail-SA-2012-02.txt') diff --git a/fetchmail-SA-2012-02.txt b/fetchmail-SA-2012-02.txt index 584706da..fc713d22 100644 --- a/fetchmail-SA-2012-02.txt +++ b/fetchmail-SA-2012-02.txt @@ -1,15 +1,17 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 -fetchmail-SA-2012-02: DoS possible with NTLM authentication in debug mode +fetchmail-SA-2012-02: DoS/data theft possible in NTLM authentication -Topics: fetchmail denial of service in NTLM protocol phase +Topics: fetchmail denial of service/data theft in NTLM protocol phase Author: Matthias Andree Version: draft Announced: 2012-08-13 -Type: crash while reading from bad memory location -Impact: fetchmail segfaults and aborts, stalling inbound mail +Type: reading from bad memory locations +Impact: fetchmail segfaults and aborts, stalling inbound mail, + or: fetchmail conveys data from bad locations, possibly + betraying confidential data Danger: low Acknowledgment: J. Porter Clark @@ -34,6 +36,7 @@ Corrected in: 2012-08-13 Git, among others, see commit 2012-08-13 0.1 draft 2012-08-14 0.2 added CVE ID +2012-08-14 0.3 mention data theft 1. Background @@ -53,12 +56,16 @@ regular protocol ports. Fetchmail version 5.0.8 added NTLM support. This code sent the NTLM authentication request, but never checked if the received response was -NTLM protocol exchange, or a server-side error message. Instead, -fetchmail tried to decode the error message as though it were -base64-encoded protocol exchange, and could then segfault, subject to -verbosity and other circumstances, while reading data from bad memory -locations. +an NTLM challenge, or a server-side error message. Instead, fetchmail +tried to decode the error message as though it were base64-encoded +protocol exchange, and could then segfault, subject to verbosity and +other circumstances, while reading data from bad memory locations. +Also, when the "Target Name" structure in the NTLM Type 2 message (the +challenge) was carefully crafted, fetchmail might read from the wrong +memory location, and send confidential data to the server that it should +not have. It is deemed hard, although not impossible, to steal +other accounts' data. 3. Solution =========== @@ -106,7 +113,7 @@ END of fetchmail-SA-2012-02 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) -iEYEARECAAYFAlAp5g0ACgkQvmGDOQUufZXtLwCg54tPXJZAXauGxJ77oRGox49g -WUIAnizjQ4AvBSzk3Oraqv+WCS+8wiMb -=NEZ4 +iEYEARECAAYFAlAqnJ0ACgkQvmGDOQUufZURKQCgtarBW3fr0uR/ANpNma7QiAd0 +dFMAoPMNVYwTitZG/gkvwhr7QBGB59pj +=HBRo -----END PGP SIGNATURE----- -- cgit v1.2.3