Stack-based buffer overflow in the ntlm_output function in http-ntlm.c for (1) wget 1.10, (2) curl 7.13.2, and (3) libcurl 7.13.2, and other products that use libcurl, when NTLM authentication is enabled, allows remote servers to execute arbitrary code via a long NTLM username.

The upstream developer of curl, a multi-protocol file transfer library, informed us that the former correction to several off-by-one errors are not sufficient. For completeness please find the original bug description below :

  Several problems were discovered in libcurl, a multi-protocol file   transfer library. The Common Vulnerabilities and Exposures project   identifies the following problems :

    - CVE-2005-3185       A buffer overflow has been discovered in libcurl that       could allow the execution of arbitrary code.

    - CVE-2005-4077       Stefan Esser discovered several off-by-one errors that       allows local users to trigger a buffer overflow and       cause a denial of service or bypass PHP security       restrictions via certain URLs.

Updated wget packages that fix a security issue are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

GNU Wget is a file retrieval utility that can use either the HTTP or FTP protocols.

A stack based buffer overflow bug was found in the wget implementation of NTLM authentication. An attacker could execute arbitrary code on a user's machine if the user can be tricked into connecting to a malicious web server using NTLM authentication. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3185 to this issue.

All users of wget are advised to upgrade to these updated packages, which contain a backported patch that resolves this issue.

Updated curl packages that fix a security issue are now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols.

A stack based buffer overflow bug was found in cURL's NTLM authentication module. It is possible to execute arbitrary code on a user's machine if the user can be tricked into connecting to a malicious web server using NTLM authentication. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3185 to this issue.

All users of curl are advised to upgrade to these updated packages, which contain a backported patch that resolve this issue.

A buffer overflow has been found in the NTLM authentication handler of the Curl library and wget. By tricking an user or automatic system that uses the Curl library, the curl application, or wget into visiting a specially crafted website, a remote attacker could exploit this to execute arbitrary code with the privileges of the calling user.

The Ubuntu 4.10 and 5.04 versions of wget are not affected by this.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability in libcurl's NTLM function can overflow a stack-based buffer if given too long a user name or domain name in NTLM authentication is enabled and either a) pass a user and domain name to libcurl that together are longer than 192 bytes or b) allow (lib)curl to follow HTTP redirects and the new URL contains a URL with a user and domain name that together are longer than 192 bytes.

Wget, as of version 1.10, uses the NTLM code from libcurl and is also vulnerable to this issue.

The updated packages have been patched to address this issue.

This package fixes a security buffer overflow bug in URL authentication code of curl (CVE-2005-4077).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running Apple Mac OS X, but lacks Security Update 2005-009. This security update contains fixes for the following applications :
- Apache2
- Apache_mod_ssl
- CoreFoundation
- curl
- iodbcadmintool
- OpenSSL
- passwordserver
- Safari
- sudo
- syslog 

The remote host is running Apple Mac OS X, but lacks Security Update 2005-009.

This security update contains fixes for the following applications :

- Apache2
- Apache_mod_ssl
- CoreFoundation
- curl
- iodbcadmintool
- OpenSSL
- passwordserver
- Safari
- sudo
- syslog

New curl packages are available for Slackware 9.1, 10.0, 10.1, 10.2, and -current, and new wget packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current. These address a buffer overflow in NTLM handling which may present a security problem, though no public exploits are known at this time.

The remote host is affected by the vulnerability described in GLSA-200510-19 (cURL: NTLM username stack overflow)

    iDEFENSE reported that insufficient bounds checking on a memcpy()     of the supplied NTLM username can result in a stack overflow.
  Impact :

    A remote attacker could setup a malicious server and entice an     user to connect to it using a cURL client, potentially leading to the     execution of arbitrary code with the permissions of the user running     cURL.
  Workaround :

    Disable NTLM authentication by not using the --anyauth or --ntlm     options when using cURL (the command line version). Workarounds for     programs that use the cURL library depend on the configuration options     presented by those programs.

This package fixes a buffer overflow bug in NTLM authentication code of curl (CVE-2005-3185).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability in libcurl's NTLM function can overflow a stack-based buffer if given too long a user name or domain name in NTLM authentication is enabled and either a) pass a user and domain name to libcurl that together are longer than 192 bytes or b) allow (lib)curl to follow HTTP redirects and the new URL contains a URL with a user and domain name that together are longer than 192 bytes.

The updated packages have been patched to address this issue.

The remote host is using a version of curl (or libcurl) that is vulnerable to a remote buffer overflows. To exploit, an attacker would have to set up a rogue web server that would reply with a malicious NTLM authentication request.  Upon successful exploitation, the attacker would be able to execute arbitrary commands with the rights of the web server.

The remote host is using a version of wget that contains a flaw in the way that it handles NTLM authentication data.  Specifically, a rogue website that returns malformed data during an NTLM authentication session will be able to execute arbitrary code on the local client machine. 

The remote host appears to be running a version of Apache, an open source web server.  This version of Apache is vulnerable to a flaw in the way that it handles mod_ssl CRL verification callback.  In order for an attacker to exploit this flaw the attacker would need to find a server that was configured to use a malicious certificate revocation list (CRL). 

The remote host appears to be running a version of Apache, an open source web server.  This version of Apache is vulnerable to a flaw in the way that it handles malformed HTTP requests.  An attacker exploiting this flaw would be able to possibly corrupt cache memory or inject HTML requests to a vulnerable Apache server.  The vulnerability stems from a non-conformance to RFC 2616 that states that HTTP requests must not include both a 'Content-Length' and 'Transfer-Encoding' field.   

The remote host is using a version of wget that contains a flaw in the way that it handles NTLM authentication data.  Specifically, a rogue website that returns malformed data during an NTLM authentication session will be able to execute arbitrary code on the local client machine.

The remote host is running Apple Mac OS X, but lacks Security Update 2005-009. This security update contains fixes for the following applications :
- Apache2
- Apache_mod_ssl
- CoreFoundation
- curl
- iodbcadmintool
- OpenSSL
- passwordserver
- Safari
- sudo
- syslog

The remote host appears to be running a version of Apache, an open source web server.  This version of Apache is vulnerable to a flaw in the way that it handles malformed HTTP requests.  An attacker exploiting this flaw would be able to possibly corrupt cache memory or inject HTML requests to a vulnerable Apache server.  The vulnerability stems from a non-conformance to RFC 2616 that states that HTTP requests must not include both a 'Content-Length' and 'Transfer-Encoding' field.

The remote host appears to be running a version of Apache, an open source web server.  This version of Apache is vulnerable to a flaw in the way that it handles mod_ssl CRL verification callback.  In order for an attacker to exploit this flaw the attacker would need to find a server that was configured to use a malicious certificate revocation list (CRL).

ID	Name	Product	Family	Severity
22785	Debian DSA-919-2 : curl - buffer overflow	Nessus	Debian Local Security Checks	high
21868	CentOS 3 / 4 : wget (CESA-2005:812)	Nessus	CentOS Local Security Checks	high
21864	CentOS 3 / 4 : curl (CESA-2005:807)	Nessus	CentOS Local Security Checks	high
20621	Ubuntu 4.10 / 5.04 / 5.10 : curl, wget vulnerabilities (USN-205-1)	Nessus	Ubuntu Local Security Checks	high
20430	Mandrake Linux Security Advisory : wget (MDKSA-2005:183)	Nessus	Mandriva Local Security Checks	high
20289	Fedora Core 4 : curl-7.13.1-4.fc4 (2005-1129)	Nessus	Fedora Local Security Checks	high
3308	Mac OS X Multiple Vulnerabilities (Security Update 2005-009)	Nessus Network Monitor	Operating System Detection	high
20249	Mac OS X Multiple Vulnerabilities (Security Update 2005-009)	Nessus	MacOS X Local Security Checks	high
20149	Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : curl/wget (SSA:2005-310-01)	Nessus	Slackware Local Security Checks	high
20144	RHEL 2.1 / 3 / 4 : wget (RHSA-2005:812)	Nessus	Red Hat Local Security Checks	high
20143	RHEL 3 / 4 : curl (RHSA-2005:807)	Nessus	Red Hat Local Security Checks	high
20081	GLSA-200510-19 : cURL: NTLM username stack overflow	Nessus	Gentoo Local Security Checks	high
20056	Fedora Core 3 : curl-7.12.3-4.fc3 (2005-1000)	Nessus	Fedora Local Security Checks	high
20042	Mandrake Linux Security Advisory : curl (MDKSA-2005:182)	Nessus	Mandriva Local Security Checks	high
3256	Curl NTLM Buffer Overflow	Nessus Network Monitor	Web Clients	medium
3255	GNU WGet < 1.10.2 Buffer Overflow	Nessus Network Monitor	Web Clients	medium
3112	Apache < 2.0.55 HTTP Smuggling Vulnerability	Nessus Network Monitor	Web Servers	high
3042	Apache HTTP Request Parsing HTML Injection	Nessus Network Monitor	Web Servers	high
801390	Curl NTLM Buffer Overflow	Log Correlation Engine	Web Clients	high
800982	GNU WGet < 1.10.2 Buffer Overflow	Log Correlation Engine	Web Clients	high
800798	Mac OS X Multiple Vulnerabilities (Security Update 2005-009)	Log Correlation Engine	Operating System Detection	high
800576	Apache HTTP Request Parsing HTML Injection	Log Correlation Engine	Web Servers	high
800556	Apache < 2.0.55 HTTP Smuggling Vulnerability	Log Correlation Engine	Web Servers	high

Detections

Analytics

CVE-2005-3185

critical

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

medium

medium

high

high

high

high

high

high

high