Vigil@nce - cURL: privilege escalation via the use of proxy using NTLM authentication
February 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use cURL with an HTTP proxy and NTLM
authentication with the proxy account of another user, in order to
escalate his privileges.
Impacted products: cURL, Debian, Fedora, openSUSE, openSUSE Leap,
Slackware, Ubuntu.
Severity: 1/4.
Creation date: 27/01/2016.
DESCRIPTION OF THE VULNERABILITY
The cURL product includes an embedable HTTP client. It can use
HTTP proxies.
When a proxy requires an NTLM authentication, this authentication
is connection based (in contrast to HTTP based authentication
which is request based). Typically, cURL reuses TCP connections to
the proxy for several HTTP requests. However, cURL may do so even
if different credentials for the proxy have been specified at
request level.
An attacker can therefore use cURL with an HTTP proxy and NTLM
authentication with the proxy account of another user, in order to
escalate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN