lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060320112743.2A187CA0A4@ws5-11.us4.outblaze.com>
Date: Mon Mar 20 11:25:34 2006
From: metaur at operamail.com (Ulf Harnhammar)
Subject: [SSAG#001] :: cURL tftp:// URL Buffer Overflow

[SSAG#001] :: cURL tftp:// URL Buffer Overflow


INTRODUCTION


"curl is a command line tool for transferring files with URL
syntax, supporting FTP, FTPS, TFTP, HTTP, HTTPS, TELNET, DICT,
FILE and LDAP. curl supports HTTPS certificates, HTTP POST, HTTP
PUT, FTP uploading, HTTP form based upload, proxies, cookies,
user+password authentication (Basic, Digest, NTLM, Negotiate,
kerberos...), file transfer resume, proxy tunneling and a busload
of other useful tricks."

It is a very popular program in the Unix world. For more information,
see its homepage at  http://curl.haxx.se/ .


THE VULNERABILITY


There is a buffer overflow in cURL when it fetches a long tftp:// URL
with a path that is longer than 512 characters. The URL must start with
"tftp://", then a valid hostname,  then another slash, and then a path
and file name with more than 512 characters.

Successful exploitation of this vulnerability allows attackers to
execute code within the context of cURL. There are many programs
that allow remote users to access cURL, for instance through its
PHP bindings.

If cURL is configured to follow HTTP redirects, for example by using
its -L command line option, any web resource can redirect to a tftp://
URL that causes this overflow.

The bug has the identifier CVE-2006-1061. It affects cURL 7.15.0,
7.15.1* and 7.15.2*. You are immune if you use older versions or the
new 7.15.3. Users that do not want to upgrade to a new version can apply
the patch at  http://curl.haxx.se/libcurl-tftp.patch .

Read also cURL's own advisory at
http://curl.haxx.se/docs/adv_20060320.html .

* = only on architectures where a certain struct has the same size as
    on the x86 architecture


WORKAROUND


If cURL is compiled with "./configure --disable-tftp && make",
the whole TFTP support in the program is disabled. This secures it
effectively against this vulnerability, but some users may wish
to use the program's TFTP capabilities, making it an undesirable
workaround for them.


ABOUT SWEDISH SECURITY AUDIT GROUP


Swedish Security Audit Group aims to perform security audits of
computer programs written by Swedish developers, and to publish any
vulnerabilities using a responsible full-disclosure approach. It also
aims to publish free documentation in Swedish on how to program
securely.


// Ulf Harnhammar, Swedish Security Audit Group



-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com

Powered by Outblaze

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ