curl / Docs / curl CVEs / NTLM Buffer Overflow


NTLM Buffer Overflow

Project curl Security Advisory, October 13th 2005 Permalink


libcurl's NTLM function can overflow a stack-based buffer if given a too long username or domain name. This would happen if you enable NTLM authentication and either:

A - pass in a username and domain name to libcurl that together are longer than 192 bytes

B - allow (lib)curl to follow HTTP "redirects" (Location: and the appropriate HTTP 30x response code) and the new URL contains a URL with a username and domain name that together are longer than 192 bytes


The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-3185 to this issue.

CWE-121: Stack-based Buffer Overflow

Severity: High


All versions of libcurl ever released with NTLM capabilities enabled are vulnerable to this flaw.

libcurl builds with SSPI support (added in version 7.13.2 and only available on Windows) are NOT affected.

On non-Windows machines, the NTLM support requires the lib to have been built with OpenSSL support. Therefore: libcurl builds without SSL support or SSL support provided by GnuTLS are NOT affected.

Also note that (lib)curl is used by many applications, and not always advertised as such.



We strongly suggest you take one of the following actions immediately:

A - Upgrade to curl and libcurl 7.15.0

B - Apply the patch to your libcurl version and install this.

C - Disable NTLM either by not enabling the command line option (to curl) or by not using the NTLM-enabling options with libcurl.


We were notified at 22:15 local time October 12 2005.

The notification mail was also sent to the wget camp (as they share pretty much the same source and thus the same flaw). The mail to the wget project was sent to a mail alias that is forwarded to a public mailing list with public archives etc.

The patch was produced within 30 minutes.

A number of distributors and packagers of curl were notified the same evening and early morning October 13th.

Mailed vendor-sec 09:00 on October 13th

I noticed the "leak" of this flaw at 09:50 October 13th and mailed vendor-sec about it.

At 10:50 October 13th, the advisory was posted to the curl-users and curl-library mailing list and then curl 7.15.0 was already released and available for download.


Reported to us by this company, original discoverer is anonymous