Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows :: win5411.htm

MSNT squid auth for NtDomains remotely exploitable format string hole



6th Jun 2002 [SBWID-5411]
COMMAND

	MSNT squid auth for NtDomains remotely exploitable format string hole

SYSTEMS AFFECTED

	current version

PROBLEM

	In DAVID EVLIS REIGN SECURITY ADVISORY #11 :
	

	This  is  an  authentication  module  for  the  Squid  proxy  server  to
	authenticate users on an NT domain It originates from the Samba and  SMB
	packages by Andrew Tridgell and Richard Sharpe. This version is  sourced
	from   the   Pike   authentication   module    by    William    Welliver
	(hwellive@intersil.com). Usage is simple.  It  accepts  a  username  and
	password on standard input and will return OK if  the  username/password
	is valid for the domain, or ERR if there was some problem. Check  syslog
	messages for reported problems.  Msntauth  is  released  under  the  GNU
	General Public License and is available from
	

	

	http://stellarx.tripod.com.

	

	

	

	 Exploit

	 =======

	

	In the allowuser code of MSNT there is (cough  *many  buffer  overflows*
	cough) a remotely exploitable syslog()  call  which  may  under  certain
	circumstances lead to  remote  compromisation  of  the  box  running  it
	(windows [1398|me|2000|xp].[1]).
	

	code portions taken from the exploitable bit of code...
	

	

	sscanf(ConnectingUser, \" %s \", CUBuf); <-- i wont ask..

	  sprintf(CUBuf, \" %s \", CUBuf); <-- again i wont...

	

	  for (x = 0; x <= strlen(CUBuf); x++)

	      CUBuf[x] = toupper(CUBuf[x]); <-- again....

	

	  if (strstr(AllowedUsers, CUBuf) != NULL)

	     return 1;

	  else                    /* If NULL, they are not allowed to use the proxy 

	*/

	  {

	     sprintf(AllowMsg, \"Denied access to user \'%s\'.\", CUBuf); <-- my god...

	     syslog(LOG_USER | LOG_ERR, AllowMsg); <-- HERE WE ARE!!!!!

	     return 0;

	  }

	

	

	as you can see, the connectinguser sends over the  data  which  will  be
	held in the very well bounds checked  CUBuf  (cough)  and  if  they  are
	_not_   alowed   (which   means   if   there   name   happens   to    be
	AAAABBBB.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x.%0.8x) and  does  not
	pass then you are in trouble.
	

	also to note, the same thing happens in denyuser code too :~.
	

	

SOLUTION

	Nothing yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH