CVE-2004-0541
published 2004-08-06CVE-2004-0541: Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows…
PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
71.07%
99.3th percentile
Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | squid | < squid 2.5.5-5 (bookworm) | squid 2.5.5-5 (bookworm) |
| national_science_foundation | squid_web_proxy_cache | — | — |
| national_science_foundation | squid_web_proxy_cache | — | — |
| squid | squid | >= 0 < 2.5.5-5 | 2.5.5-5 |
| squid | squid | >= 0 < 2.5.5-5 | 2.5.5-5 |
| squid | squid | >= 0 < 2.5.5-5 | 2.5.5-5 |
| squid | squid | >= 0 < 2.5.5-5 | 2.5.5-5 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
NTLMSSP\x00\x01\x00\x00\x00\x07\x00\xb2\x07\x01\x00\x09\x00\x01\x00\x00\x00\x01\x00\x03\x00\x01\x00\x00\x00
bytes↗
NTLMSSP\x00\x03\x00\x00\x00 ... \x38\x00\x00\x00 ... \x06\x82\x00\x02
bytes↗
\x31\xc9\xf7\xe1\x8d\x58\x0e\xb0\x30\x41\xcd\x80
bytes↗
\x83\xec\x7f
bytes↗
\xff\x00\x00\x00
- →Detect oversized NTLM Proxy-Authorization headers sent to Squid proxy; the exploit overflows the 'pass' variable in ntlm_check_auth via a crafted NTLMSSP_AUTHENTICATE message with an abnormally large lanman response field. ↗
- →Look for two sequential HTTP proxy requests on the same Keep-Alive connection: first a NTLMSSP_NEGOTIATE (message type 0x01), then immediately a NTLMSSP_AUTHENTICATE (message type 0x03) with no intervening NTLMSSP_CHALLENGE — this skips the normal 3-way handshake and is characteristic of the exploit flow. ↗
- →Flag NTLMSSP_AUTHENTICATE messages where the lanman response length field encodes a value far exceeding normal bounds (exploit sets pass_len = overflow + shellcode length, well beyond the fixed buffer). ↗
- →The exploit requires a 15-second delay between brute-force attempts to prevent Squid from exiting after 5 crashes; repeated Squid worker crashes (SIGSEGV) at ~15-second intervals are a strong indicator of active exploitation. ↗
- →Brute-force return address sweep targets the Linux stack range 0xbfffcfbc–0xbffffffc; monitor for repeated proxy authentication failures from a single source IP against a Squid proxy. ↗
- ·Vulnerability only exists when Squid is compiled with NTLM handlers enabled; installations without NTLM support are not affected. ↗
- ·Affected versions are Squid 2.5.x and 3.x; Debian fixed the issue in package version 2.5.5-5. ↗
- ·The exploit payload space is limited to 256 bytes with a minimum of 16 NOPs prepended; detection rules should account for shellcode fitting within this constraint. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
security flaw
vendor_redhat·2004-06-08·CVSS 10.0
CVE-2004-0541 [CRITICAL] security flaw
security flaw
Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).
Debian
CVE-2004-0541: squid - Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid ...
vendor_debian·2004·CVSS 10.0
CVE-2004-0541 [CRITICAL] CVE-2004-0541: squid - Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid ...
Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).
Scope: local
bookworm: resolved (fixed in 2.5.5-5)
bullseye: resolved (fixed in 2.5.5-5)
forky: resolved (fixed in 2.5.5-5)
sid: resolved (fixed in 2.5.5-5)
trixie: resolved (fixed in 2.5.5-5)
GHSA
GHSA-c92g-qcfc-4869: Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2
ghsa_unreviewed·2022-05-03
CVE-2004-0541 [HIGH] GHSA-c92g-qcfc-4869: Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2
Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).
OSV
CVE-2004-0541: Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2
osv·2004-08-06·CVSS 10.0
CVE-2004-0541 [CRITICAL] CVE-2004-0541: Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2
Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).
No detection rules found.
Exploit-DB
Squid - NTLM (Authenticated) Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2004-0541 Squid - NTLM (Authenticated) Overflow (Metasploit)
Squid - NTLM (Authenticated) Overflow (Metasploit)
---
##
# $Id: squid_ntlm_authenticate.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Squid NTLM Authenticate Overflow',
'Description' => %q{
This is an exploit for Squid\'s NTLM authenticate overflow
(libntlmssp.c). Due to improper bounds checking in
ntlm_check_auth, it is possible to overflow the 'pass'
variable on the stack with user controlled data of a user
defined length. Props to iDEFENSE for the advisory.
},
'Author' => 'skape',
'Version' => '$
Exploit-DB
Squid 2.5.x/3.x - NTLM Buffer Overflow (Metasploit)
exploitdb·2004-06-08
CVE-2004-0541 Squid 2.5.x/3.x - NTLM Buffer Overflow (Metasploit)
Squid 2.5.x/3.x - NTLM Buffer Overflow (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Squid NTLM Authenticate Overflow',
'Description' => %q{
This is an exploit for Squid's NTLM authenticate overflow
(libntlmssp.c). Due to improper bounds checking in
ntlm_check_auth, it is possible to overflow the 'pass'
variable on the stack with user controlled data of a user
defined length. Props to iDEFENSE for the advisory.
},
'Author' => 'skape',
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-0541'],
[ 'OSVDB
Metasploit
Squid NTLM Authenticate Overflow
metasploit
Squid NTLM Authenticate Overflow
Squid NTLM Authenticate Overflow
This is an exploit for Squid\'s NTLM authenticate overflow (libntlmssp.c). Due to improper bounds checking in ntlm_check_auth, it is possible to overflow the 'pass' variable on the stack with user controlled data of a user defined length. Props to iDEFENSE for the advisory.
Bugzilla
CVE-2004-0541 security flaw
bugzilla·2018-08-16·CVSS 10.0
CVE-2004-0541 [CRITICAL] CVE-2004-0541 security flaw
CVE-2004-0541 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).
Bugzilla
Squid Multiple Vulnerabilities (CVE-2004-0541 CVE-2004-0832 CVE-2004-0918 CVE-2005-0094 CVE-2005-0095 CVE-2005-0096 CVE-2005-0097 CVE-2005-0446 CVE-2005-0626 CVE-2005-0718 CVE-1999-0710 CVE-2005-1345
bugzilla·2004-10-11·CVSS 7.5
CVE-2004-0541 [HIGH] Squid Multiple Vulnerabilities (CVE-2004-0541 CVE-2004-0832 CVE-2004-0918 CVE-2005-0094 CVE-2005-0095 CVE-2005-0096 CVE-2005-0097 CVE-2005-0446 CVE-2005-0626 CVE-2005-0718 CVE-1999-0710 CVE-2005-1345
Squid Multiple Vulnerabilities (CVE-2004-0541 CVE-2004-0832 CVE-2004-0918 CVE-2005-0094 CVE-2005-0095 CVE-2005-0096 CVE-2005-0097 CVE-2005-0446 CVE-2005-0626 CVE-2005-0718 CVE-1999-0710 CVE-2005-1345 CVE-2005-1519 CVE-2004-2479 CVE-2005-2794 CVE-2005-...
iDEFENSE reported on 2004-10-11 a vulnerability in the squid SNMP
module. This issue could lead to a potential DOS (it will restart
the server, dropping all open connections).
http://www.idefense.com/application/poi/display?id=152&type=vulnerabilities
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135320
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135319
------- Additional Comments From [email protected] 2004-10-11 19:30:05 ----
Patch available here:
http://www1.uk.squid-cache.org/squid/Versions/v2/2
Bugzilla
CAN-2004-0541 Squid NTLM authentication helper overflow
bugzilla·2004-06-09
[MEDIUM] CAN-2004-0541 Squid NTLM authentication helper overflow
CAN-2004-0541 Squid NTLM authentication helper overflow
A buffer overflow was found in within the NTLM authentication helper
routine. If Squid is configured to use the NTLM authentication
helper, a remote attacker could potentially execute arbitrary code by
sending an overly long password. The Common Vulnerabilities and
Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0541 to this issue.
Note: The NTLM authentication helper is not enabled by default in
Fedora Core.
Note; This is a stack buffer overflow and exec-shield will help
mitigate the risk of this being exploited in Fedora Core.
Discussion:
http://www.redhat.com/archives/fedora-announce-list/2004-June/msg00012.html
http://www.redhat.com/archives/fedora-announce-list/2004-June/msg00013.html
Bugzilla
CAN-2004-0541 Squid NTLM authentication helper overflow
bugzilla·2004-06-08
[MEDIUM] CAN-2004-0541 Squid NTLM authentication helper overflow
CAN-2004-0541 Squid NTLM authentication helper overflow
A buffer overflow was found in within the NTLM authentication helper
routine. If Squid is configured to use the NTLM authentication helper,
a remote attacker could potentially execute arbitrary code by sending
an overly long password. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0541 to this issue.
Note: The NTLM authentication helper is not enabled by default in Red
Hat Enterprise Linux 3. Red Hat Enterprise Linux 2.1 is not
vulnerable to this issue as it shipped with a version of Squid which
did not contain the helper.
Users of Squid should update to these erratum packages which contain a
backported patch are not vulnerable to this issue.
Discussion:
An errata has been issued w
ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.aschttp://fedoranews.org/updates/FEDORA--.shtmlhttp://www.gentoo.org/security/en/glsa/glsa-200406-13.xmlhttp://www.idefense.com/application/poi/display?id=107&type=vulnerabilitieshttp://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:059http://www.redhat.com/support/errata/RHSA-2004-242.htmlhttp://www.securityfocus.com/bid/10500http://www.trustix.net/errata/2004/0033/https://exchange.xforce.ibmcloud.com/vulnerabilities/16360https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10722https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A980ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.aschttp://fedoranews.org/updates/FEDORA--.shtmlhttp://www.gentoo.org/security/en/glsa/glsa-200406-13.xmlhttp://www.idefense.com/application/poi/display?id=107&type=vulnerabilitieshttp://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:059http://www.redhat.com/support/errata/RHSA-2004-242.htmlhttp://www.securityfocus.com/bid/10500http://www.trustix.net/errata/2004/0033/https://exchange.xforce.ibmcloud.com/vulnerabilities/16360https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10722https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A980
2004-08-06
Published