libsoup Stack-Based Buffer Overflow Vulnerability in NTLM Authentication Module Allows Arbitrary Code Execution

A stack-based buffer overflow vulnerability has been identified in the NTLM authentication module of libsoup. This flaw arises from improper bounds checking on stack-allocated buffers in the md4sum() function, allowing local attackers to overwrite adjacent memory. When NTLM authentication is enabled, this vulnerability could be exploited to execute arbitrary code with the privileges of the affected application. Several widely used components, including WebKit, Evolution, GVfs, and gnome-online-accounts, enable NTLM by default, thereby increasing the risk of exploitation.

Impact

Exploitation of this vulnerability could lead to a stack-based buffer overflow, allowing for arbitrary code execution with the privileges of the affected application.

Reproduction

The vulnerability can be reproduced by creating a NTLM authentication feature in a libsoup session and then sending a crafted authorization header that exploits the buffer overflow in the md4sum() function. This can be done using a C program that links against libsoup, with the authorization header base64-encoded to include a maliciously crafted password that triggers the overflow. The program can then be run to demonstrate the vulnerability, with the AddressSanitizer tool enabled to catch the memory corruption error.