From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 23 Mar 2006 14:24:07 +0200
Subject: [UNIX] cURL Buffer Overflow (tftp URL)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060326084725.0883F5803@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
X-Spam-Status: No, hits=2.057 tagged_above=2 required=5
tests=DATE_IN_PAST_48_96, MSGID_FROM_MTA_ID
X-Spam-Level: **
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
cURL Buffer Overflow (tftp URL)
------------------------------------------------------------------------
SUMMARY
" <http://curl.haxx.se/>; curl is a command line tool for transferring
files with URL syntax, supporting FTP, FTPS, TFTP, HTTP, HTTPS, TELNET,
DICT, FILE and LDAP. curl supports HTTPS certificates, HTTP POST, HTTP
PUT, FTP uploading, HTTP form based upload, proxies, cookies,
user+password authentication (Basic, Digest, NTLM, Negotiate,
kerberos...), file transfer resume, proxy tunneling and a busload of other
useful tricks."
When cURL fetches a long tftp:// URL with a path that is longer than 512
characters a buffer overflow may be triggered. The URL must start with
"tftp://", then a valid hostname, then another slash, and then a path and
file name with more than 512 characters.
DETAILS
Vulnerable Systems:
* cURL versions 7.15.0, 7.15.1* and 7.15.2*
* = only on architectures where a certain struct has the same size as on
the x86 architecture
Immune Systems:
* cURL versions 7.15.3 or versions patched with this patch :
<http://curl.haxx.se/libcurl-tftp.patch>;
http://curl.haxx.se/libcurl-tftp.patch
Successful exploitation of this vulnerability allows attackers to execute
code within the context of cURL. There are many programs that allow remote
users to access cURL, for instance through its PHP bindings.
If cURL is configured to follow HTTP redirects, for example by using its
-L command line option, any web resource can redirect to a tftp:// URL
that causes this overflow.
Read also cURL's own advisory at:
<http://curl.haxx.se/docs/adv_20060320.html>;
http://curl.haxx.se/docs/adv_20060320.html.
Workaround:
If cURL is compiled with "./configure --disable-tftp && make", the whole
TFTP support in the program is disabled. This secures it effectively
against this vulnerability, but some users may wish to use the program's
TFTP capabilities, making it an undesirable workaround for them.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1061>;
CVE-2006-1061.
ADDITIONAL INFORMATION
The information has been provided by <mailto:metaur@operamail.com.> Ulf
Harnhammar.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
