-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                           e-matters GmbH
                          www.e-matters.de

                      -= Security  Advisory =-



     Advisory: libneon date parsing vulnerability
 Release Date: 2004/05/19
Last Modified: 2004/05/19
       Author: Stefan Esser [s.esser@e-matters.de]

  Application: libneon <= 0.24.5
     Severity: A vulnerability within a date parsing function
               allows arbitrary code execution
         Risk: Medium
Vendor Status: Vendor is releasing a bugfixed version.
    Reference: http://security.e-matters.de/advisories/062004.html


Overview:

   Quote from: http://www.webdav.org/neon
   
   "neon is an HTTP and WebDAV client library, with a C interface.
Featuring:

    * High-level interface to HTTP and WebDAV methods (PUT, GET, HEAD etc)
    * Low-level interface to HTTP request handling, to allow implementing...
    * persistent connections
    * RFC2617 basic and digest authentication (including auth-int, md5-sess)
    * Proxy support (including basic/digest authentication)
    * SSL/TLS support using OpenSSL (including client certificate support)
    * Generic WebDAV 207 XML response handling mechanism
    * XML parsing using the expat or libxml parsers
    * Easy generation of error messages from 207 error responses
    * WebDAV resource manipulation: MOVE, COPY, DELETE, MKCOL.
    * WebDAV metadata support: set and remove properties, query any set...
    * autoconf macros supplied for easily embedding neon directly inside..."
    
   A vulnerability within a libneon date parsing function could cause a
   heap overflow which could lead to remote code execution, depending on
   the application using libneon.
   
   OpenOffice and Subversion *DO NOT* use this function and are therefore
   not vulnerable to THIS problem.
   
   
Details:
   
   While scanning the libneon source code for common programming errors
   an unsafe usage of sscanf() was discovered within one of the date
   parsing functions.
   
   When a special crafted date string is passed to the ne_rfc1036_parse()
   it may trigger a sscanf() string overflow into static heap variables.
   Exploitability heavily depends on the application linked against neon
   but is considered trivial in cases where an out-of-memory condition
   can be triggered, because the overflowing variable is placed infront
   of the libneon out-of-memory callback function pointer.
   
   Please notice that your application could be vulnerable even if you
   do not use ne_rfc1036_parse() directly, because its functionality
   is used by several higher level API functions.


Proof of Concept:

   e-matters is not going to release an exploit for this vulnerability to
   the public.
   

Disclosure Timeline:

   02. May 2004 - Neon developers were contacted by email
   04. May 2004 - Joe Orton has fixed the bug within neon and waits 
                  for the public disclosure date
   19. May 2004 - Coordinated Public Disclosure
   
   
CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the name CAN-2004-0398 to this issue.


Recommendation:

   Because Subversion and OpenOffice, which are the most important libneon
   users, are not using the vulnerable function the issue is rated with a
   medium severity. Nevertheless upgrading your neon version is recommended
   because other applications could be vulnerable and could expose the
   vulnerable function to the outside world.
   
   
GPG-Key:

   http://security.e-matters.de/gpg_key.asc
    
   pub  1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam 
   Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA  A71A 6F7D 572D 3004 C4BC


Copyright 2004 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFAqVPIb31XLTAExLwRAoGJAKCp5TcNu2GcHMWXqULTSG3eaAHJ9QCfcIhr
bSituskBxQx4gaw3uOmnjuQ=
=hgrE
-----END PGP SIGNATURE-----