ASA-2019-00042 – curl: NTLMv2 type-3 header stack buffer overflow

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00042

Identifier(s)

ASA-2019-00042, CVE-2019-3822

Title

NTLMv2 type-3 header stack buffer overflow

Vendor(s)

the Curl project

Product(s)

curl

Affected version(s)

libcurl 7.36.0 to and including 7.63.0

Fixed version(s)

libcurl >= 7.64.0

Proof of concept

Unknown

Description

libcurl contains a stack based buffer overflow vulnerability.

The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening.

This output data can grow larger than the local buffer if very large “nt response” data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server.

Such a “large value” needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.

Technical details

Unknown

Credits

Wenxiang Qian (Tencent Blade Team)

Reference(s)

NTLMv2 type-3 header stack buffer overflow
https://curl.haxx.se/docs/CVE-2019-3822.html

[SECURITY ADVISORY] curl: NTLMv2 type-3 header stack buffer overflow
https://seclists.org/oss-sec/2019/q1/109

ntlm: Added support for NTLMv2
https://github.com/curl/curl/commit/86724581b6c

CVE-2019-3822 | SUSE
https://www.suse.com/pt-br/security/cve/CVE-2019-3822/

CVE-2019-3822 – Red Hat Customer Portal
https://access.redhat.com/security/cve/cve-2019-3822

CVE-2019-3822 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3822.html

USN-3882-1: curl vulnerabilities | Ubuntu security notices
https://usn.ubuntu.com/3882-1/

CVE-2019-3822
https://security-tracker.debian.org/tracker/CVE-2019-3822

拒绝超长函数,从两个curl远程漏洞说起https://security.tencent.com/index.php/blog/msg/129

CVE-2019-3822
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3822

CVE-2019-3822
https://nvd.nist.gov/vuln/detail/CVE-2019-3822

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: September 14, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.