Jump to content
Nytro

CVE-2017-8816: curl NTLM Authentication Buffer Overflow

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Yesterday curl released a security advisory for a vulnerability reported by Alex Nichols. The vulnerable code is in lib/curl_ntlm_core.c of libcurl and specifically in Curl_ntlm_core_mk_ntlmv2_hash() function. Below you see the vulnerable function.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
/* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
 * (uppercase UserName + Domain) as the data
 */
CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
                                       const char *domain, size_t domlen,
                                       unsigned char *ntlmhash,
                                       unsigned char *ntlmv2hash)
{
  /* Unicode representation */
  size_t identity_len = (userlen + domlen) * 2;
  unsigned char *identity = malloc(identity_len);
  CURLcode result = CURLE_OK;
 
  if(!identity)
    return CURLE_OUT_OF_MEMORY;
 
  ascii_uppercase_to_unicode_le(identity, user, userlen);
  ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
 
  result = Curl_hmac_md5(ntlmhash, 16, identity, curlx_uztoui(identity_len),
                         ntlmv2hash);
 
  free(identity);
 
  return result;
}

The “identity_len” is calculating the sum of the username and password lengths, and multiplies the result by two. Then, the result is used to allocate a heap buffer via malloc() and the subsequent calls use the newly allocated “identity” heap buffer. However, if the username and password length is larger than 2GB on architectures were “size_t” data type is 32-bit the “(userlen + domlen) * 2”, it will result in an integer overflow which will leads in a tiny buffer being allocated via malloc() and resulting in a heap based buffer overflow in the subsequent calls. Below you can see how Daniel Stenberg patched lib/curl_ntlm_core.c to fix this vulnerability. First, a new pre-processor definition was added to ensure that the appropriate (per architecture) maximum value for “size_t” data type is set to the “SIZE_T_MAX” constant.

1
2
3
4
5
6
7
8
#ifndef SIZE_T_MAX
/* some limits.h headers have this defined, some don't */
#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
#define SIZE_T_MAX 18446744073709551615U
#else
#define SIZE_T_MAX 4294967295U
#endif
#endif

And as expected, this new constant is used in Curl_ntlm_core_mk_ntlmv2_hash() function to ensure that the length calculation will not result in an integer overflow. In case it exceeds this limit the code will return “CURLE_OUT_OF_MEMORY” error code. You can see the diff below.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
   /* Unicode representation */
size_t identity_len = (userlen + domlen) * 2;
-  unsigned char *identity = malloc(identity_len);
size_t identity_len;
+  unsigned char *identity;
   CURLcode result = CURLE_OK;
  
/* we do the length checks below separately to avoid integer overflow risk
+     on extreme data lengths */
if((userlen > SIZE_T_MAX/2) ||
+     (domlen > SIZE_T_MAX/2) ||
+     ((userlen + domlen) > SIZE_T_MAX/2))
+    return CURLE_OUT_OF_MEMORY;
+
+  identity_len = (userlen + domlen) * 2;
+  identity = malloc(identity_len);
+
   if(!identity)
  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...