CVE-2019-17266: Heap-Based Buffer Overflow in libsoup HTTP Library

Introduction

According to GNOME’s internal wiki page, “libsoup is an HTTP client/server library for GNOME.” Libsoup uses “GObjects” and the “glib main loop” to work well with GNOME applications, and uses NTLM as it’s authentication service. GNOME, again according to their official website, is an open source desktop environment used on Unix/Linux systems. Those that are familiar with the Kali Linux OS have already interacted with a GNOME desktop by default. In regards to libsoup’s authentication service, NTLM, it authenticates clients by using a challenge-response approach, which allows users to be verified without having to send a password hash to the server. While this approach may have it’s pros and cons, a significant flaw has been discovered in the area of code that handles authentication.

Vulnerability

Libsoup versions 2.65.1 through 2.68.1 were found to have a heap-based buffer overflow vulnerability because the length of the NTLM response message was not checked before the code executed a memcpy command. 

Impact

The NVD  has scored this CVE as 9.8 critical. Since this vulnerability encompasses the response message of an NTLM authentication session, malicious users can attack remotely and without prior privileges. In regards to impact to Confidentiality, Integrity, and Availability, these scores can vary depending on how this vulnerability is exploited. With that said, the confidence in data integrity would be the most damaged as the buffer overflow nature of this vulnerability can lead to memory overwriting and possible corruption of existing data at the overwritten addresses.

Mitigation

It appears that this vulnerability has already been patched since it was first reported on 07 October 2019, according to the libsoup GitHub repository. A simple addition to the code of version 2.68.2 checks the length of the NTLM message before continuing. If the parameters aren’t met, then the program releases the memory pointer and returns FALSE. 

References

“CVE-2019-17266 Detail.” Retrieved from: nvd.nist.gov. 07 October 2019.

“Discover GNOME 3.” Retrieved from: ​https://www.gnome.org. 07 October 2019.

“libsoup.” Retrieved from: wiki.gnome.org. 07 October 2019.

“libsoup2.4: CVE-2019-17266.”​​ Retrieved from: bugs.debian.org. 08 October 2019.

“NTLM: Avoid a potential heap buffer overflow in v2 authentication.” Retrieved from: gitlab.gnome.org/GNOME/libsoup. 08 October 2019.

“The NTLM Authentication Protocol and Security Support Provider​.” Retrieved from: davenport.sourceforge.net. 08 October 2019.