Ubuntu 4.10 : curl vulnerability (USN-86-1)

2006-01-1500:00:00

www.tenable.com

infamous41md discovered a buffer overflow in cURL’s NT LAN Manager (NTLM) authentication handling. By sending a specially crafted long NTLM reply packet, a remote attacker could overflow the reply buffer.
This could lead to execution of arbitrary attacker specified code with the privileges of the application using the cURL library.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-86-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(20711);
  script_version("1.21");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2005-0490");
  script_xref(name:"USN", value:"86-1");

  script_name(english:"Ubuntu 4.10 : curl vulnerability (USN-86-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"infamous41md discovered a buffer overflow in cURL's NT LAN Manager
(NTLM) authentication handling. By sending a specially crafted long
NTLM reply packet, a remote attacker could overflow the reply buffer.
This could lead to execution of arbitrary attacker specified code with
the privileges of the application using the cURL library.

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:curl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl2-dbg");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl2-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl2-gssapi");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10");

  script_set_attribute(attribute:"patch_publication_date", value:"2005/02/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! ereg(pattern:"^(4\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

flag = 0;

if (ubuntu_check(osver:"4.10", pkgname:"curl", pkgver:"7.12.0.is.7.11.2-1ubuntu0.1")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"libcurl2", pkgver:"7.12.0.is.7.11.2-1ubuntu0.1")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"libcurl2-dbg", pkgver:"7.12.0.is.7.11.2-1ubuntu0.1")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"libcurl2-dev", pkgver:"7.12.0.is.7.11.2-1ubuntu0.1")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"libcurl2-gssapi", pkgver:"7.12.0.is.7.11.2-1ubuntu0.1")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl / libcurl2 / libcurl2-dbg / libcurl2-dev / libcurl2-gssapi");
}

VendorProductVersionCPE
canonicalubuntu_linuxcurlp-cpe:/a:canonical:ubuntu_linux:curl
canonicalubuntu_linuxlibcurl2p-cpe:/a:canonical:ubuntu_linux:libcurl2
canonicalubuntu_linuxlibcurl2-dbgp-cpe:/a:canonical:ubuntu_linux:libcurl2-dbg
canonicalubuntu_linuxlibcurl2-devp-cpe:/a:canonical:ubuntu_linux:libcurl2-dev
canonicalubuntu_linuxlibcurl2-gssapip-cpe:/a:canonical:ubuntu_linux:libcurl2-gssapi
canonicalubuntu_linux4.10cpe:/o:canonical:ubuntu_linux:4.10

Vendor	Product	Version	CPE
canonical	ubuntu_linux	curl	p-cpe:/a:canonical:ubuntu_linux:curl
canonical	ubuntu_linux	libcurl2	p-cpe:/a:canonical:ubuntu_linux:libcurl2
canonical	ubuntu_linux	libcurl2-dbg	p-cpe:/a:canonical:ubuntu_linux:libcurl2-dbg
canonical	ubuntu_linux	libcurl2-dev	p-cpe:/a:canonical:ubuntu_linux:libcurl2-dev
canonical	ubuntu_linux	libcurl2-gssapi	p-cpe:/a:canonical:ubuntu_linux:libcurl2-gssapi
canonical	ubuntu_linux	4.10	cpe:/o:canonical:ubuntu_linux:4.10

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0490

JSON

Related for UBUNTU_USN-86-1.NASL