Validate NTLM challenge fields.

[~andy/fetchmail] / fetchmail-SA-2012-02.txt

diff --git a/fetchmail-SA-2012-02.txt b/fetchmail-SA-2012-02.txt
index 584706dad432e9460dfd11cfd0d71855081229f6..fc713d225d3fe8a999d8c36c49b4da7a3ca1004d 100644 (file)
--- a/fetchmail-SA-2012-02.txt
+++ b/fetchmail-SA-2012-02.txt
@@ -1,15 +1,17 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
-fetchmail-SA-2012-02: DoS possible with NTLM authentication in debug mode
+fetchmail-SA-2012-02: DoS/data theft possible in NTLM authentication
 
-Topics:                fetchmail denial of service in NTLM protocol phase
+Topics:                fetchmail denial of service/data theft in NTLM protocol phase
 
 Author:                Matthias Andree
 Version:       draft
 Announced:     2012-08-13
-Type:          crash while reading from bad memory location
-Impact:                fetchmail segfaults and aborts, stalling inbound mail
+Type:          reading from bad memory locations
+Impact:                fetchmail segfaults and aborts, stalling inbound mail,
+               or: fetchmail conveys data from bad locations, possibly
+               betraying confidential data
 Danger:                low
 Acknowledgment:        J. Porter Clark
 
@@ -34,6 +36,7 @@ Corrected in: 2012-08-13 Git, among others, see commit
 
 2012-08-13 0.1 draft
 2012-08-14 0.2 added CVE ID
+2012-08-14 0.3 mention data theft
 
 
 1. Background
@@ -53,12 +56,16 @@ regular protocol ports.
 
 Fetchmail version 5.0.8 added NTLM support. This code sent the NTLM
 authentication request, but never checked if the received response was
-NTLM protocol exchange, or a server-side error message.  Instead,
-fetchmail tried to decode the error message as though it were
-base64-encoded protocol exchange, and could then segfault, subject to
-verbosity and other circumstances, while reading data from bad memory
-locations.
+an NTLM challenge, or a server-side error message.  Instead, fetchmail
+tried to decode the error message as though it were base64-encoded
+protocol exchange, and could then segfault, subject to verbosity and
+other circumstances, while reading data from bad memory locations.
 
+Also, when the "Target Name" structure in the NTLM Type 2 message (the
+challenge) was carefully crafted, fetchmail might read from the wrong
+memory location, and send confidential data to the server that it should
+not have.  It is deemed hard, although not impossible, to steal
+other accounts' data.
 
 3. Solution
 ===========
@@ -106,7 +113,7 @@ END of fetchmail-SA-2012-02
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
-iEYEARECAAYFAlAp5g0ACgkQvmGDOQUufZXtLwCg54tPXJZAXauGxJ77oRGox49g
-WUIAnizjQ4AvBSzk3Oraqv+WCS+8wiMb
-=NEZ4
+iEYEARECAAYFAlAqnJ0ACgkQvmGDOQUufZURKQCgtarBW3fr0uR/ANpNma7QiAd0
+dFMAoPMNVYwTitZG/gkvwhr7QBGB59pj
+=HBRo
 -----END PGP SIGNATURE-----