Date: 09 December 2005
References: ESB-2005.0978
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2005.0974 -- [UNIX/Linux]
libcurl URL Parsing Vulnerability
9 December 2005
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libcurl
Publisher: Hardened-PHP Project
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access: Existing Account
Original Bulletin: http://www.hardened-php.net/advisory_242005.109.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hardened-PHP Project
www.hardened-php.net
-= Security Advisory =-
Advisory: libcurl URL Parsing Vulnerability
Release Date: 2005/12/07
Last Modified: 2005/12/07
Author: Stefan Esser [sesser@hardened-php.net]
Application: Curl <= 7.15.0
libcurl <= 7.15.0
Severity: When (lib)Curl tries to parse a certain kind of
malformed URLs this leads to a heap overflow
Risk: Low
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net/advisory_242005.109.html
Overview:
libcurl is a free and easy-to-use client-side URL transfer library,
supporting FTP, FTPS, TFTP, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE
and LDAP. libcurl supports HTTPS certificates, HTTP POST, HTTP PUT,
FTP uploading, HTTP form based upload, proxies, cookies,
user+password authentication (Basic, Digest, NTLM, Negotiate,
Kerberos4), file transfer resume, http proxy tunneling and more!
During a quick scan of the URL parsing code within libcurl, it was
discovered, that certain malformed URLs trigger an off-by-one(two)
bufferoverflow. This may lead to unintended arbitrary code execution.
Because the attacker must be able to force curl to load such an URL,
which is not possible through a HTTP redirect, the impact is low.
However a local attacker might use this vulnerability to break out
of safe_mode/open_basedir restrictions when PHP is compiled with
libcurl support.
Details:
When libcurl parses an URL it first allocates certain buffers for
the hostname part and the path. As long the URL is short a minimum
amount of 256 bytes is allocated for each of these buffers.
When the input URL exceeds the 256 byte limit, libcurl allocates
the two buffers in a size that is exactly the lenght of the input
URL. For typical URLs this is enough (although space for the 0
string termination byte is not allocated).
The URL is then parsed by a number of sscanf calls. Unfortunately
certain malformed URLs will result in sscanf copying the complete
input URL into either the host or the path buffer. Because the
initial allocation did not allocate the extra space for the 0 byte
this eventually results in an off by one situation.
While this overflow with one zero byte is already enough to
manipulate certain implementaions of malloc()/free(), it is possible
to cause a two byte overflow by starting a hostname with a ?
When libcurl finds a ? in the hostname it suspects a malformed URL
and inserts a path seperator / infront of it. This is performed
without any kind of size check.
This vulnerability is believed to be only triggerable through direct
requesting curl to load a malformed URL and NOT through a HTTP
redirect. Because this is usually not possible for remote attackers,
this vulnerability is rated low risk. This vulnerability might
however be used to break out of PHP's safe_mode/open_basedir when
it is compiled against libcurl. Additonally such an exploit might be
used to steal the local SSL certificate from apache memory.
Proof of Concept:
The Hardened-PHP Project is not going to release an exploit for
this vulnerability to the public.
Disclosure Timeline:
29. November 2005 - Vulnerability was disclosed to the vendor
6. December 2005 - Vendor has released a bugfixed version
7. December 2005 - Public Disclosure
Recommendation:
We strongly recommend to upgrade to the vendor supplied new
version of curl and libcurl.
curl/libcurl 7.15.1
http://curl.haxx.se/download.html
GPG-Key:
http://www.hardened-php.net/hardened-php-signature-key.asc
pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1
Copyright 2005 Stefan Esser / Hardened-PHP Project. All rights reserved.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFDlqvrRDkUzAqGSqERAvlmAJ9nJbJUh8PrFfUt3Oiuo/R6iPY5RwCgx6Te
kuEfsGf+Sv8AAJlARQPyrhM=
=C/3A
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQ5kcgih9+71yA2DNAQL6awP9G1QOBEntnD1lua6qgG8eRP6kMvwDvbV+
JsA7FJ8XtMwALM1Dj+laQV6MJfRX/osrNZ/RYiRr9c21dxYy9k9YF4zrNuwAhT5g
8huHsChVA227fRIzU150jwJDh48n9dPWWx6Kun6tzKVK0lku7mPvB0+uRSfCbPdJ
DTUhgfj6W28=
=dob4
-----END PGP SIGNATURE-----
|