Title

A buffer overflow vulnerability due to incorrect integer conversion in the NTLM authentication of the CONNECT protocol negotiation

Exploitability

The vulnerability is exploitable under the following conditions:

• Stunnel versions 4.21 to 4.54 inclusive.
• Stunnel compiled as a 64-bit executable. Any 32-bit builds, including pre-compiled Win32 binaries, are not vulnerable.
• Service configured in SSL client mode ("client = yes").
• CONNECT protocol negotiation enabled ("protocol = connect").
• NTLM authentication enabled ("protocolAuthentication = NTLM").
• The attacker able either to control the proxy server specified as a parameter of the "connect" option, or to perform MITM attacks on TCP sessions between stunnel and the proxy server.

Impact

The vulnerability may be exploited for arbitrary code execution. The code is executed within the configured chroot directory, with privileges of the configured user and group.

CVSS v2 Score

• CVSS Base Score: 6.6
  • Impact Subscore: 8.5
  • Exploitability Subscore: 4.9
• CVSS Temporal Score: 5.2
• Overall CVSS Score: 5.2

CVSS v2 Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:C/E:P/RL:O/RC:C)

Recommendation

Upgrade to stunnel 4.55, or disable the NTLM authentication.

Credits

• Vulnerability discovery: Mateusz Kocielski, LogicalTrust
• This report: Michal Trojnara

Timeline

• Initial release: 03 Mar 2013
• Last update: 05 May 2015