Allele Security Alert
ASA-2019-00042
Identifier(s)
ASA-2019-00042, CVE-2019-3822
Title
NTLMv2 type-3 header stack buffer overflow
Vendor(s)
the Curl project
Product(s)
curl
Affected version(s)
libcurl 7.36.0 to and including 7.63.0
Fixed version(s)
libcurl >= 7.64.0
Proof of concept
Unknown
Description
libcurl contains a stack based buffer overflow vulnerability.
The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening.
This output data can grow larger than the local buffer if very large “nt response” data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server.
Such a “large value” needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.
Technical details
Unknown
Credits
Wenxiang Qian (Tencent Blade Team)
Reference(s)
NTLMv2 type-3 header stack buffer overflow
https://curl.haxx.se/docs/CVE-2019-3822.html
[SECURITY ADVISORY] curl: NTLMv2 type-3 header stack buffer overflow
https://seclists.org/oss-sec/2019/q1/109
ntlm: Added support for NTLMv2
https://github.com/curl/curl/commit/86724581b6c
CVE-2019-3822 | SUSE
https://www.suse.com/pt-br/security/cve/CVE-2019-3822/
CVE-2019-3822 – Red Hat Customer Portal
https://access.redhat.com/security/cve/cve-2019-3822
CVE-2019-3822 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3822.html
USN-3882-1: curl vulnerabilities | Ubuntu security notices
https://usn.ubuntu.com/3882-1/
CVE-2019-3822
https://security-tracker.debian.org/tracker/CVE-2019-3822
拒绝超长函数,从两个curl远程漏洞说起https://security.tencent.com/index.php/blog/msg/129
CVE-2019-3822
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3822
CVE-2019-3822
https://nvd.nist.gov/vuln/detail/CVE-2019-3822
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: September 14, 2019