cbcvebase.
CVE-2004-0541
published 2004-08-06

CVE-2004-0541: Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows…

PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
71.07%
99.3th percentile
Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).

Affected

7 ranges
VendorProductVersion rangeFixed in
debiansquid< squid 2.5.5-5 (bookworm)squid 2.5.5-5 (bookworm)
national_science_foundationsquid_web_proxy_cache
national_science_foundationsquid_web_proxy_cache
squidsquid>= 0 < 2.5.5-52.5.5-5
squidsquid>= 0 < 2.5.5-52.5.5-5
squidsquid>= 0 < 2.5.5-52.5.5-5
squidsquid>= 0 < 2.5.5-52.5.5-5

Detection & IOCsextracted from sources · hover to see the quote

commandProxy-Authorization: NTLM <base64-encoded NTLMSSP_NEGOTIATE>
commandProxy-Authorization: NTLM <base64-encoded NTLMSSP_AUTHENTICATE with overflow>
bytes
NTLMSSP\x00\x01\x00\x00\x00\x07\x00\xb2\x07\x01\x00\x09\x00\x01\x00\x00\x00\x01\x00\x03\x00\x01\x00\x00\x00
bytes
NTLMSSP\x00\x03\x00\x00\x00 ... \x38\x00\x00\x00 ... \x06\x82\x00\x02
bytes
\x31\xc9\xf7\xe1\x8d\x58\x0e\xb0\x30\x41\xcd\x80
bytes
\x83\xec\x7f
bytes
\xff\x00\x00\x00
  • Detect oversized NTLM Proxy-Authorization headers sent to Squid proxy; the exploit overflows the 'pass' variable in ntlm_check_auth via a crafted NTLMSSP_AUTHENTICATE message with an abnormally large lanman response field.
  • Look for two sequential HTTP proxy requests on the same Keep-Alive connection: first a NTLMSSP_NEGOTIATE (message type 0x01), then immediately a NTLMSSP_AUTHENTICATE (message type 0x03) with no intervening NTLMSSP_CHALLENGE — this skips the normal 3-way handshake and is characteristic of the exploit flow.
  • Flag NTLMSSP_AUTHENTICATE messages where the lanman response length field encodes a value far exceeding normal bounds (exploit sets pass_len = overflow + shellcode length, well beyond the fixed buffer).
  • The exploit requires a 15-second delay between brute-force attempts to prevent Squid from exiting after 5 crashes; repeated Squid worker crashes (SIGSEGV) at ~15-second intervals are a strong indicator of active exploitation.
  • Brute-force return address sweep targets the Linux stack range 0xbfffcfbc–0xbffffffc; monitor for repeated proxy authentication failures from a single source IP against a Squid proxy.
  • ·Vulnerability only exists when Squid is compiled with NTLM handlers enabled; installations without NTLM support are not affected.
  • ·Affected versions are Squid 2.5.x and 3.x; Debian fixed the issue in package version 2.5.5-5.
  • ·The exploit payload space is limited to 256 bytes with a minimum of 16 NOPs prepended; detection rules should account for shellcode fitting within this constraint.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.