BID:12616

cURL / libcURL Kerberos Authentication Buffer Overflow Vulnerability

Info

cURL / libcURL Kerberos Authentication Buffer Overflow Vulnerability

Bugtraq ID:	12616
Class:	Boundary Condition Error
CVE:	CVE-2005-0490
Remote:	Yes
Local:	No
Published:	Feb 22 2005 12:00AM
Updated:	Aug 24 2006 05:54PM
Credit:	Credited to infamous41md[at]hotpop.com.
Vulnerable:	SGI ProPack 3.0 Mandriva Linux Mandrake 10.1 x86_64 Mandriva Linux Mandrake 10.1 Mandriva Linux Mandrake 10.0 AMD64 Mandriva Linux Mandrake 10.0 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 Gentoo Linux F5 BIG-IP 4.6.2 F5 BIG-IP 4.6 F5 BIG-IP 4.5.12 F5 BIG-IP 4.5.11 F5 BIG-IP 4.5.10 F5 BIG-IP 4.5.9 F5 BIG-IP 4.5.6 F5 BIG-IP 4.5 F5 BIG-IP 4.4 F5 BIG-IP 4.3 F5 BIG-IP 4.2 F5 BIG-IP 4.0 F5 3-DNS 4.6.2 F5 3-DNS 4.6 F5 3-DNS 4.5.12 F5 3-DNS 4.5.11 F5 3-DNS 4.5 F5 3-DNS 4.4 F5 3-DNS 4.3 F5 3-DNS 4.2 Daniel Stenberg curl 7.13 Daniel Stenberg curl 7.13 Daniel Stenberg curl 7.12.3 Daniel Stenberg curl 7.12.2 Daniel Stenberg curl 7.12.1 + Redhat Desktop 4.0 + Redhat Enterprise Linux AS 4 + Redhat Enterprise Linux ES 4 + Redhat Enterprise Linux WS 4 Daniel Stenberg curl 7.12 + S.u.S.E. Linux Personal 9.2 x86_64 + S.u.S.E. Linux Personal 9.2 + Ubuntu Ubuntu Linux 4.1 ppc + Ubuntu Ubuntu Linux 4.1 ia64 + Ubuntu Ubuntu Linux 4.1 ia32 Daniel Stenberg curl 7.11.2 Daniel Stenberg curl 7.11.1 Daniel Stenberg curl 7.11 + S.u.S.E. Linux Personal 9.1 x86_64 + S.u.S.E. Linux Personal 9.1 Daniel Stenberg curl 7.10.8 Daniel Stenberg curl 7.10.7 Daniel Stenberg curl 7.10.6 + Redhat Desktop 3.0 + Redhat Enterprise Linux AS 3 + Redhat Enterprise Linux ES 3 + Redhat Enterprise Linux WS 3 Daniel Stenberg curl 7.10.5 Daniel Stenberg curl 7.10.4 Daniel Stenberg curl 7.10.3 Daniel Stenberg curl 7.10.2 Daniel Stenberg curl 7.10.1 Daniel Stenberg curl 7.10 Daniel Stenberg curl 7.9.8 Daniel Stenberg curl 7.9.7 Daniel Stenberg curl 7.9.6 Daniel Stenberg curl 7.9.5 Daniel Stenberg curl 7.9.4 Daniel Stenberg curl 7.9.3 Daniel Stenberg curl 7.9.2 Daniel Stenberg curl 7.9.1 Daniel Stenberg curl 7.9 Daniel Stenberg curl 7.8.1 Daniel Stenberg curl 7.8 Daniel Stenberg curl 7.7.3 Daniel Stenberg curl 7.7.2 Daniel Stenberg curl 7.7.1 Daniel Stenberg curl 7.7 Daniel Stenberg curl 7.6.1 Daniel Stenberg curl 7.6 Daniel Stenberg curl 7.5.2 Daniel Stenberg curl 7.5.1 Daniel Stenberg curl 7.5 Daniel Stenberg curl 7.4.2 Daniel Stenberg curl 7.4.1 Daniel Stenberg curl 7.4 Daniel Stenberg curl 7.3 + Redhat PowerTools 7.0 + Redhat PowerTools 6.2 + Redhat PowerTools 6.1 Daniel Stenberg curl 7.2.1 Daniel Stenberg curl 7.2 Daniel Stenberg curl 7.1.1 Daniel Stenberg curl 7.1 Daniel Stenberg curl 6.5.2 Daniel Stenberg curl 6.5.1 Daniel Stenberg curl 6.5 Daniel Stenberg curl 6.4 Daniel Stenberg curl 6.3 Daniel Stenberg curl 6.2 Daniel Stenberg curl 6.1 beta Daniel Stenberg curl 6.1 Daniel Stenberg curl 6.0 + Debian Linux 2.2 ALT Linux ALT Linux Junior 2.3 ALT Linux ALT Linux Compact 2.3

Not Vulnerable:	F5 BIG-IP 4.6.3 F5 BIG-IP 4.5.13 F5 3-DNS 4.6.3 F5 3-DNS 4.5.13 Daniel Stenberg curl 7.13.1

Discussion

cURL / libcURL Kerberos Authentication Buffer Overflow Vulnerability

It has been reported that cURL and libcURL are vulnerable to a remotely exploitable stack-based buffer overflow vulnerability. The cURL and libcURL Kerberos authentication code fails to ensure that a buffer overflow cannot occur when server response data is decoded.

The overflow occurs in the stack region, and remote code execution is possible if the saved instruction pointer is overwritten with a pointer to embedded instructions.

Exploit / POC

cURL / libcURL Kerberos Authentication Buffer Overflow Vulnerability

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

Solution / Fix

cURL / libcURL Kerberos Authentication Buffer Overflow Vulnerability

Solution:
The vendor has released cURL version 7.13.1 to address this and other issues.

SGI has released an advisory 20050403-01-U including updated SGI ProPack 3 Service Pack 4 packages to address this issue. Please see the referenced advisory for more information.

Gentoo has released an advisory (GLSA 200503-20) and an updated eBuild to address this vulnerability. Gentoo users are advised to apply the updates by issuing the following sequence of commands as a superuser:
emerge --sync
emerge --ask --oneshot --verbose ">=net-misc/curl-7.13.1"

Mandrake has released advisory MDKSA-2005:048 dealing with this issue. Please see the referenced advisory for more information.

Conectiva Linux has released advisory CLA-2005:940 along with fixes dealing with this issue. Please see the referenced advisory for more information.

ALT Linux has released updates dealing with this and other issues. Please see the reference section for more information.

Red Hat has released advisory RHSA-2005:340-09 and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

F5 Networks BIG-IP and 3-DNS upgrades are available from the vendor. Please contact the vendor for more information.

Daniel Stenberg curl 6.0

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 6.1 beta

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 6.1

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 6.2

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 6.3

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 6.4

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 6.5

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 6.5.1

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 6.5.2

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 7.1

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 7.1.1

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 7.10.1

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 7.10.3

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 7.10.4

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 7.10.5

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 7.10.6

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 7.10.7

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 7.11

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Mandrake curl-7.11.0-2.1.100mdk.amd64.rpm
Mandrake Linux 10.0/AMD64
http://www.mandrakesecure.net/en/ftp.php

Mandrake curl-7.11.0-2.1.100mdk.i586.rpm
Mandrake Linux 10.0
http://www.mandrakesecure.net/en/ftp.php

Mandrake curl-7.11.0-2.1.C30mdk.i586.rpm
Mandrake Corporate Server 3.0
http://www.mandrakesecure.net/en/ftp.php

Mandrake curl-7.11.0-2.1.C30mdk.x86_64.rpm
Mandrake Corporate Server 3.0/x86_64
http://www.mandrakesecure.net/en/ftp.php

Mandrake lib64curl2-7.11.0-2.1.100mdk.amd64.rpm
Mandrake Linux 10.0/AMD64
http://www.mandrakesecure.net/en/ftp.php

Mandrake lib64curl2-7.11.0-2.1.C30mdk.x86_64.rpm
Mandrake Corporate Server 3.0/x86_64
http://www.mandrakesecure.net/en/ftp.php

Mandrake lib64curl2-devel-7.11.0-2.1.100mdk.amd64.rpm
Mandrake Linux 10.0/AMD64
http://www.mandrakesecure.net/en/ftp.php

Mandrake lib64curl2-devel-7.11.0-2.1.C30mdk.x86_64.rpm
Mandrake Corporate Server 3.0/x86_64
http://www.mandrakesecure.net/en/ftp.php

Mandrake libcurl2-7.11.0-2.1.100mdk.i586.rpm
Mandrake Linux 10.0
http://www.mandrakesecure.net/en/ftp.php

Mandrake libcurl2-7.11.0-2.1.C30mdk.i586.rpm
Mandrake Corporate Server 3.0
http://www.mandrakesecure.net/en/ftp.php

Mandrake libcurl2-devel-7.11.0-2.1.100mdk.i586.rpm
Mandrake Linux 10.0
http://www.mandrakesecure.net/en/ftp.php

Mandrake libcurl2-devel-7.11.0-2.1.C30mdk.i586.rpm
Mandrake Corporate Server 3.0
http://www.mandrakesecure.net/en/ftp.php

Daniel Stenberg curl 7.11.1

Conectiva curl-7.11.1-53435U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS.curl/curl-7.11.1-53435U10_ 1cl.i386.rpm

Conectiva libcurl-devel-7.11.1-53435U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS.curl/libcurl-devel-7.11.1- 53435U10_1cl.i386.rpm

Conectiva libcurl-devel-static-7.11.1-53435U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS.curl/libcurl-devel-static- 7.11.1-53435U10_1cl.i386.rpm

Conectiva libcurl2-7.11.1-53435U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS.curl/libcurl2-7.11.1-53435 U10_1cl.i386.rpm

Daniel Stenberg curl 7.12

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 7.12.1

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Mandrake curl-7.12.1-1.1.101mdk.i586.rpm
Mandrake Linux 10.1
http://www.mandrakesecure.net/en/ftp.php

Mandrake curl-7.12.1-1.1.101mdk.x86_64.rpm
Mandrake Linux 10.1/x86_64
http://www.mandrakesecure.net/en/ftp.php

Mandrake lib64curl3-7.12.1-1.1.101mdk.x86_64.rpm
Mandrake Linux 10.1/x86_64
http://www.mandrakesecure.net/en/ftp.php

Mandrake lib64curl3-devel-7.12.1-1.1.101mdk.x86_64.rpm
Mandrake Linux 10.1/x86_64
http://www.mandrakesecure.net/en/ftp.php

Mandrake libcurl3-7.12.1-1.1.101mdk.i586.rpm
Mandrake Linux 10.1
http://www.mandrakesecure.net/en/ftp.php

Mandrake libcurl3-devel-7.12.1-1.1.101mdk.i586.rpm
Mandrake Linux 10.1
http://www.mandrakesecure.net/en/ftp.php

Daniel Stenberg curl 7.13

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 7.2

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 7.2.1

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 7.3

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 7.4

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

Daniel Stenberg curl 7.4.1

Daniel Stenberg curl-7.13.1.tar.gz
http://curl.haxx.se/download/curl-7.13.1.tar.gz

References

cURL / libcURL Kerberos Authentication Buffer Overflow Vulnerability

References:

[security-announce] I: updated packages available (ALT Linux)
cURL homepage (Daniel Stenberg )
Fixed in 7.13.1 (Daniel Stenberg)
Homepage (F5 Software)
RHSA-2005:340-09 - curl security update (RedHat)
iDEFENSE Security Advisory 02.21.05: Multiple Unix/Linux Vendor cURL/libcURL Ker ("iDEFENSE Labs" )