Re: brief report on NTLM buffer overflow

2005-10-17 Thread Mauro Tortonesi

Daniel Stenberg wrote:

On Fri, 14 Oct 2005, Noèl Köthe wrote:

The last paragraph says something like: Notable is the fast time of 
reaction of the Open Source developer: two days ago the problem was 
reported, yesterday corrected packages were produced and details of 
the vulnerability were published.


Just want to give you very possitive feedback and say thanks.:)



I mailed Hrvoje the patch roughly 50 minutes after the notification (and 
he forwarded it to Mauro). Wget 1.10.2 was relased less than 14 hours 
after the first mail brought our attention to this problem.


Both Hrvoje and Mauro acted swiftly and promptly. Nice going guys!


i was notified of the vulnerability by hrvoje and daniel. when i 
received the security report daniel had aready sent us the bugfix. it 
took me no more than 30 minutes to include the patch in our stable 
branch and release wget 1.10.2.


thanks again, daniel.

--
Aequam memento rebus in arduis servare mentem...

Mauro Tortonesi  http://www.tortonesi.com

University of Ferrara - Dept. of Eng.http://www.ing.unife.it
GNU Wget - HTTP/FTP file retrieval tool  http://www.gnu.org/software/wget
Deep Space 6 - IPv6 for Linuxhttp://www.deepspace6.net
Ferrara Linux User Group http://www.ferrara.linux.it


brief report on NTLM buffer overflow

2005-10-14 Thread Mauro Tortonesi


i am not going to publish a complete security advisory on this topic, 
but i think wget users deserve a little bit more information about the 
security vulnerability that was fixed yesterday, october 13th 2005.


yesterday i was notified by iDEFENSE of a remotely exploitable buffer 
overflow in the NTLM authentication code. this vulnerability could allow 
a malicious website to run arbitrary code on the machine running the 
wget client.


the only two versions of wget vulnerable to this flaw are 1.10 and 
1.10.1 with NTLM authentication support enabled. wget binaries compiled 
without NTLM support are not vulnerable. in addition, NTLM support 
requires OpenSSL, so wget binaries built without SSL support are not 
affected by the vulnerability as well.


the same vulnerability applies to cURL and libcURL, as the NTLM code in 
wget was donated by Daniel Stenberg, (lib)cURL's maintainer. Daniel sent 
me a fix for the flaw which was included in wget 1.10.2, released 
immediately after i received the vulnerability report and the fix.


although there is no known exploit at the time of this writing, i 
strongly recommend anyone using a wget 1.10 or 1.10.1 binary with NTLM 
authentication enabled to upgrade to wget 1.10.2 or to recompile their 
binary without NTLM support.



--
Aequam memento rebus in arduis servare mentem...

Mauro Tortonesi  http://www.tortonesi.com

University of Ferrara - Dept. of Eng.http://www.ing.unife.it
GNU Wget - HTTP/FTP file retrieval tool  http://www.gnu.org/software/wget
Deep Space 6 - IPv6 for Linuxhttp://www.deepspace6.net
Ferrara Linux User Group http://www.ferrara.linux.it


Re: brief report on NTLM buffer overflow

2005-10-14 Thread Daniel Stenberg

On Fri, 14 Oct 2005, Noèl Köthe wrote:

The last paragraph says something like: Notable is the fast time of 
reaction of the Open Source developer: two days ago the problem was 
reported, yesterday corrected packages were produced and details of the 
vulnerability were published.


Just want to give you very possitive feedback and say thanks.:)


I mailed Hrvoje the patch roughly 50 minutes after the notification (and he 
forwarded it to Mauro). Wget 1.10.2 was relased less than 14 hours after the 
first mail brought our attention to this problem.


Both Hrvoje and Mauro acted swiftly and promptly. Nice going guys!

(The plan was originally to coordinate the security fix release with vendors 
and between the curl and wget projects, but due to mistakes did the 
notification accidentally become public immediately and we had to work really 
fast to reduce the impact.)


--
 -=- Daniel Stenberg -=- http://daniel.haxx.se -=-
  ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol