[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060320112743.2A187CA0A4@ws5-11.us4.outblaze.com>
Date: Mon Mar 20 11:25:34 2006
From: metaur at operamail.com (Ulf Harnhammar)
Subject: [SSAG#001] :: cURL tftp:// URL Buffer Overflow
[SSAG#001] :: cURL tftp:// URL Buffer Overflow
INTRODUCTION
"curl is a command line tool for transferring files with URL
syntax, supporting FTP, FTPS, TFTP, HTTP, HTTPS, TELNET, DICT,
FILE and LDAP. curl supports HTTPS certificates, HTTP POST, HTTP
PUT, FTP uploading, HTTP form based upload, proxies, cookies,
user+password authentication (Basic, Digest, NTLM, Negotiate,
kerberos...), file transfer resume, proxy tunneling and a busload
of other useful tricks."
It is a very popular program in the Unix world. For more information,
see its homepage at http://curl.haxx.se/ .
THE VULNERABILITY
There is a buffer overflow in cURL when it fetches a long tftp:// URL
with a path that is longer than 512 characters. The URL must start with
"tftp://", then a valid hostname, then another slash, and then a path
and file name with more than 512 characters.
Successful exploitation of this vulnerability allows attackers to
execute code within the context of cURL. There are many programs
that allow remote users to access cURL, for instance through its
PHP bindings.
If cURL is configured to follow HTTP redirects, for example by using
its -L command line option, any web resource can redirect to a tftp://
URL that causes this overflow.
The bug has the identifier CVE-2006-1061. It affects cURL 7.15.0,
7.15.1* and 7.15.2*. You are immune if you use older versions or the
new 7.15.3. Users that do not want to upgrade to a new version can apply
the patch at http://curl.haxx.se/libcurl-tftp.patch .
Read also cURL's own advisory at
http://curl.haxx.se/docs/adv_20060320.html .
* = only on architectures where a certain struct has the same size as
on the x86 architecture
WORKAROUND
If cURL is compiled with "./configure --disable-tftp && make",
the whole TFTP support in the program is disabled. This secures it
effectively against this vulnerability, but some users may wish
to use the program's TFTP capabilities, making it an undesirable
workaround for them.
ABOUT SWEDISH SECURITY AUDIT GROUP
Swedish Security Audit Group aims to perform security audits of
computer programs written by Swedish developers, and to publish any
vulnerabilities using a responsible full-disclosure approach. It also
aims to publish free documentation in Swedish on how to program
securely.
// Ulf Harnhammar, Swedish Security Audit Group
--
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com
Powered by Outblaze
Powered by blists - more mailing lists