ntml encoding vuln fixes

vanhauser-thc · vanhauser-thc · commit 9cc84c20e75f · 2026-05-19T10:12:29.000+02:00
diff --git a/CHANGES b/CHANGES
@@ -2,7 +2,7 @@ Changelog for hydra
 -------------------
 
 Release 9.8-dev
-* security fixes:
+* security fixes (some reported by Elpe Pinillo and TristanInSec):
   - hydra.restore deserialization: validate ownership, clamp length/count/
     offset fields before driving malloc and loop bounds
   - parent IPC: NUL-terminate after read_safe to stop strcpy past the stack
@@ -46,6 +46,7 @@ Release 9.8-dev
     rather than literal interpolation (/630)
   - hydra-wizard.sh: build a properly-quoted argv array 
   - xhydra: refuse SMB2 workgroup containing '}' 
+  - NTLM encoding vulnerabilties
   - SVN URLBRANCH NUL-termination + 255-byte miscptr cap;
     CVS encryption-table OOB-read clamp; IMAP DIGEST-MD5
     prefix + capability accumulator; SIP external_ip_addr
diff --git a/hydra-http-proxy-urlenum.c b/hydra-http-proxy-urlenum.c
@@ -158,6 +158,13 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha
         // Send response
         buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, mlogin, mpass, NULL, NULL);
         to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2));
+        /* The Type-3 base64 response embeds a server-controlled domain string
+         * and can exceed `buffer` for a malicious server. Refuse rather than
+         * overflow. */
+        if (strlen((char *)buf1) + strlen(url) + strlen(host) + strlen(header) + 128 >= sizeof(buffer)) {
+          hydra_report(stderr, "[ERROR] HTTP-PROXY-URLENUM NTLM AUTH: oversized response\n");
+          return 3;
+        }
         sprintf(buffer,
                 "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: "
                 "Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n",
diff --git a/hydra-http-proxy.c b/hydra-http-proxy.c
@@ -166,6 +166,13 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option
       // Send response
       buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL);
       to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2));
+      /* The Type-3 base64 response embeds a server-controlled domain string
+       * and could exceed `buffer` for a malicious server. Refuse rather than
+       * overflow. */
+      if (strlen((char *)buf1) + strlen(url) + strlen(host) + strlen(header) + 128 >= sizeof(buffer)) {
+        hydra_report(stderr, "[ERROR] HTTP-PROXY NTLM AUTH: oversized response\n");
+        return 3;
+      }
       sprintf(buffer,
               "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: "
               "Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n",
diff --git a/hydra-http.c b/hydra-http.c
@@ -185,6 +185,23 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha
     buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL);
     to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2));
 
+    /* The Type-3 base64 response embeds a server-controlled domain string and
+     * can grow well past the initial buffer_size for a malicious server. Grow
+     * the buffer to hold it (plus operator-supplied bits) before sprintf. */
+    {
+      size_t needed = strlen((char *)buf1) + strlen(header) + 1024;
+      if (needed > (size_t)buffer_size) {
+        char *new_buffer = realloc(buffer, needed);
+        if (new_buffer == NULL) {
+          free(buffer);
+          free(header);
+          return 3;
+        }
+        buffer = new_buffer;
+        buffer_size = needed;
+      }
+    }
+
     // create the auth response
     if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
       sprintf(buffer,
diff --git a/hydra-imap.c b/hydra-imap.c
@@ -368,6 +368,12 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha
     buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL);
     to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2));
 
+    /* The Type-3 base64 response embeds a server-controlled domain string and
+     * can exceed `buffer` for a malicious server. Refuse rather than overflow. */
+    if (strlen((char *)buf1) + 2 >= sizeof(buffer)) {
+      hydra_report(stderr, "[ERROR] IMAP NTLM AUTH: oversized response\n");
+      return 3;
+    }
     sprintf(buffer, "%s\r\n", buf1);
   } break;
   default:
diff --git a/hydra-nntp.c b/hydra-nntp.c
@@ -230,6 +230,12 @@ int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, cha
 
     buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL);
     to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2));
+    /* The Type-3 base64 response embeds a server-controlled domain string and
+     * can exceed `buffer` for a malicious server. Refuse rather than overflow. */
+    if (strlen((char *)buf1) + 2 >= sizeof(buffer)) {
+      hydra_report(stderr, "[ERROR] NNTP NTLM AUTH: oversized response\n");
+      return 3;
+    }
     sprintf(buffer, "%s\r\n", (char *)buf1);
   } break;
 
diff --git a/hydra-pop3.c b/hydra-pop3.c
@@ -375,6 +375,12 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha
     buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL);
     to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2));
 
+    /* The Type-3 base64 response embeds a server-controlled domain string and
+     * can exceed `buffer` for a malicious server. Refuse rather than overflow. */
+    if (strlen((char *)buf1) + 2 >= sizeof(buffer)) {
+      hydra_report(stderr, "[ERROR] POP3 NTLM AUTH: oversized response\n");
+      return 3;
+    }
     sprintf(buffer, "%s\r\n", buf1);
   } break;
   default:
diff --git a/hydra-smtp.c b/hydra-smtp.c
@@ -190,6 +190,12 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha
 
     buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL);
     to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2));
+    /* The Type-3 base64 response embeds a server-controlled domain string and
+     * can exceed `buffer` for a malicious server. Refuse rather than overflow. */
+    if (strlen((char *)buf1) + 2 >= sizeof(buffer)) {
+      hydra_report(stderr, "[ERROR] SMTP NTLM AUTH: oversized response\n");
+      return 3;
+    }
     sprintf(buffer, "%s\r\n", buf1);
   } break;
 
