mirrors/openvpn
0
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2024-11-23 17:53:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

Prevent two kinds of stack buffer OOB reads and a crash for invalid input data

Browse Source 
Pre-authentication remote crash/information disclosure for clients

If clients use a HTTP proxy with NTLM authentication (i.e.
"--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2"),
a man-in-the-middle attacker between the client and the proxy can
cause the client to crash or disclose at most 96 bytes of stack
memory. The disclosed stack memory is likely to contain the proxy
password.

If the proxy password is not reused, this is unlikely to compromise
the security of the OpenVPN tunnel itself.  Clients who do not use
the --http-proxy option with ntlm2 authentication are not affected.

CVE: 2017-7520
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com>
URL: https://www.mail-archive.com/search?l=mid&q=CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
Guido Vranken 2017-05-19 14:04:25 +02:00 committed by Gert Doering
parent cb4e35ece4
commit 7718c8984f
No known key found for this signature in database
GPG Key ID: 1D829EFECA562812
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/openvpn/ntlm.c
View File

@ -195,7 +195,7 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, struct gc_are
*/
char pwbuf[sizeof(p->up.password) * 2]; /* for unicode password */
char buf2[128]; /* decoded reply from proxy */
unsigned char buf2[128]; /* decoded reply from proxy */
unsigned char phase3[464];
char md4_hash[MD4_DIGEST_LENGTH+5];
@ -301,7 +301,13 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, struct gc_are
tib_len = 96;
}
{
char *tib_ptr = buf2 + buf2[0x2c]; /* Get Target Information block pointer */
char *tib_ptr;
int tib_pos = buf2[0x2c];
if (tib_pos + tib_len > sizeof(buf2))
{
return NULL;
}
tib_ptr = buf2 + tib_pos; /* Get Target Information block pointer */
memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); /* Copy Target Information block into the blob */
}
}