Pavuk Digest Authentication Buffer Overflow Vulnerabilities

I. Synopsis

Pavuk is a package designed for mass document retreival.  Pavuk is
scriptable, and supports several advanced features, including several
classes of authentication.  NTLM, Basic, and Digest, are among those
supported.

II. Vulnerability Description

Pavuk's digest authentication routines contain buffer overflows when
processing a malicious Digest authentication challenge.  In particular,
buffer overflows may occur when malicious nonce or realm values are
specified.

By responding with an HTTP 401 (Unauthorized) status, and including a
Digest challenge with large values in certain fields, the buffer overflow
may occur.  The issue is due to unsafe sprintf() calls within the Digest
authentication handler.

III. Impact

Successful exploitation of this vulnerability allows an attacker to cause
Pavuk to fail or potentially execute arbitrary code if he/she can cause an
access to a web URL designed to exploit this issue.  Function parameter
overwriting allows for bypass of stack protection technologies, such as
ProPolice and StackGuard, rendering them ineffective against exploitation
of this vulnerability.

In combination with certain web spider packages, this vulnerability could
be exploited by any attacker who was able to cause a page to be indexed by
a spider using Pavuk.

I've produced a simple PHP exploit designed to demonstrate this
vulnerability:

<?php
$buffer = "";
for ($i = 0; $i < 1024; $i++) {
    $buffer .= "A";
 
header("WWW-Authenticate: Digest realm=\"Secured by Digest Auth\"
opaque=\"opaque\" nonce=\"$buffer\"");
header("Status: 401 Not Authorized");
?>

IV. Workarounds

Successful exploitation of this vulnerability requires that Digest
authentication be configured.  In order to protect against this
vulnerability, disable HTTP authentication within Pavuk.

V. Solution

Pavuk development upstream appears to have stalled.  However, Pavuk is
present in the FreeBSD and OpenBSD ports collections, as well as being
distributed by SuSE, Gentoo, and Debian.  Release was coordinated for July
26.

SuSE has issued fixes, although I have been informed that SuSE does not
plan to issue an independent advisory.  I am unable to find documentation
of updates to Debian's packages.  I received no responses from FreeBSD and
OpenBSD during the course of coordinating releases.

VI. Disclosure Timeline

* July 9: Vulnerability Reported to:
    - Security@gentoo.org
    - Security@suse.de
    - Security@freebsd.org
    - Security@debian.org
    - Deraadt@openbsd.org
* July 9 (Two Hours Later): SuSE's Roman Drahtmueller responds
* July 9: Per SuSE request, issue forwarded to vendor-sec@lst.de
* July 19: Initial date set for release: July 27
* July 20: SuSE requests earlier release due to recent discoveries
* July 21: Release timeline set for July 26
* July 22: Release timeline relayed to Gentoo, FreeBSD, OpenBSD
* July 26: Gentoo releases GLSA-200407-19
* July 27: Advisory released

VII. Acknowledgements

I'd like to thank the following people for working with me on this release:

* SuSE's Roman Drahtmueller and Thomas Biege
* Gentoo's Kurt Lieber and Sune Koppeson
* Debian's Matt Zimmerman

Also, credit is due to the Debian Security Audit Project for the initial
audit that I reviewed.

I'd like to thank all of those involved for their work to resolve this
issue.  The brief turnaround time (18 days), even for a vulnerability in a
non-default configuration of a package that many (all?) of the affected
vendors do not *install* (let alone enable) by default.

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html