A vulnerability in libcurl could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system.
The vulnerability exists in the NT LAN Manager (NTLM) Curl_auth_create_ntlm_type3_message function, as defined in the lib/vauth/ntlm.c source code file of the affected software and is due to improper buffer checks. The affected function creates an outgoing NTLM type-3 header and generates the request HTTP header contents based on previously received data. An attacker could exploit the vulnerability by sending very large ‘nt response’ output data, that has been extracted from a previous NTLMv2 header that was provided by a malicious or broken HTTP server, to the targeted system. A successful exploit could cause a stack-based buffer overflow condition, allowing the attacker to execute arbitrary code or cause a DoS condition on the system.
Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.
The cURL Project has confirmed the vulnerability and released software updates.