CVE-2004-0541

Squid Web Proxy Cache 2.5.x and 3.x - Remote Code Execution via NTLM Authentication Password Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2004-0541. PoCs published by Metasploit, skape, including Metasploit module exploits/linux/proxy/squid_ntlm_authenticate.

AI-analyzed exploit summary This is a Metasploit module exploiting a stack-based buffer overflow in Squid's NTLM authentication (CVE-2004-0541). It crafts malicious NTLMSSP_AUTHENTICATE messages to overwrite the return address and execute shellcode.

Description

Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/16847

This is a Metasploit module exploiting a stack-based buffer overflow in Squid's NTLM authentication (CVE-2004-0541). It crafts malicious NTLMSSP_AUTHENTICATE messages to overwrite the return address and execute shellcode.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Squid Proxy (versions with NTLM authentication enabled)
No auth needed
Prerequisites: Network access to vulnerable Squid proxy · NTLM authentication enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by skape · rubyremotemultiple
https://www.exploit-db.com/exploits/9951

This is a Metasploit module exploiting a stack-based buffer overflow in Squid's NTLM authentication (CVE-2004-0541). It crafts malicious NTLMSSP_AUTHENTICATE packets to overflow the 'pass' variable, allowing arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Squid Proxy (versions with NTLM authentication enabled)
No auth needed
Prerequisites: Network access to vulnerable Squid proxy · NTLM authentication enabled on the proxy
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/proxy/squid_ntlm_authenticate.rb

This Metasploit module exploits a stack-based buffer overflow in Squid's NTLM authentication (CVE-2004-0541) by sending maliciously crafted NTLMSSP_AUTHENTICATE messages. It targets Linux systems with a brute-force approach to bypass ASLR.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: Squid Proxy (versions with NTLM authentication enabled)
No auth needed
Prerequisites: Network access to vulnerable Squid proxy · NTLM authentication enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (11)

Core 11
Core References
Mailing List vendor-advisory x_refsource_fedora
http://fedoranews.org/updates/FEDORA--.shtml
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10722
Patch, Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2004-242.html
Patch, Vendor Advisory vendor-advisory x_refsource_gentoo
http://www.gentoo.org/security/en/glsa/glsa-200406-13.xml
Various Sources vendor-advisory x_refsource_mandrake
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:059
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/16360
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/10500
Vendor Advisory vendor-advisory x_refsource_sgi
ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.asc
Vendor Advisory vendor-advisory x_refsource_trustix
http://www.trustix.net/errata/2004/0033/
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A980

Scores

EPSS 0.7107
EPSS Percentile 99.3%

Details

Status published
Products (2)
national_science_foundation/squid_web_proxy_cache 2.5_stable
national_science_foundation/squid_web_proxy_cache 3_pre
Published Aug 06, 2004
Tracked Since Feb 18, 2026