what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SSAG-001.txt

SSAG-001.txt
Posted Mar 22, 2006
Authored by Ulf Harnhammar

Swedish Security Audit Group - [SSAG#001] :: cURL tftp:// URL Buffer Overflow: There is a buffer overflow in cURL when it fetches a long tftp:// URL with a path that is longer than 512 characters. Successful exploitation of this vulnerability allows attackers to execute code within the context of cURL. It affects cURL 7.15.0, 7.15.1* and 7.15.2*.

tags | advisory, overflow
SHA-256 | 36ca04a1f057d6b3c5096a9dd844560eb67a9d261d88dc180d57bde1a777ddd1

SSAG-001.txt

Change Mirror Download
[SSAG#001] :: cURL tftp:// URL Buffer Overflow


INTRODUCTION


"curl is a command line tool for transferring files with URL
syntax, supporting FTP, FTPS, TFTP, HTTP, HTTPS, TELNET, DICT,
FILE and LDAP. curl supports HTTPS certificates, HTTP POST, HTTP
PUT, FTP uploading, HTTP form based upload, proxies, cookies,
user+password authentication (Basic, Digest, NTLM, Negotiate,
kerberos...), file transfer resume, proxy tunneling and a busload
of other useful tricks."

It is a very popular program in the Unix world. For more information,
see its homepage at http://curl.haxx.se/ .


THE VULNERABILITY


There is a buffer overflow in cURL when it fetches a long tftp:// URL
with a path that is longer than 512 characters. The URL must start with
"tftp://", then a valid hostname, then another slash, and then a path
and file name with more than 512 characters.

Successful exploitation of this vulnerability allows attackers to
execute code within the context of cURL. There are many programs
that allow remote users to access cURL, for instance through its
PHP bindings.

If cURL is configured to follow HTTP redirects, for example by using
its -L command line option, any web resource can redirect to a tftp://
URL that causes this overflow.

The bug has the identifier CVE-2006-1061. It affects cURL 7.15.0,
7.15.1* and 7.15.2*. You are immune if you use older versions or the
new 7.15.3. Users that do not want to upgrade to a new version can apply
the patch at http://curl.haxx.se/libcurl-tftp.patch .

Read also cURL's own advisory at
http://curl.haxx.se/docs/adv_20060320.html .

* = only on architectures where a certain struct has the same size as
on the x86 architecture


WORKAROUND


If cURL is compiled with "./configure --disable-tftp && make",
the whole TFTP support in the program is disabled. This secures it
effectively against this vulnerability, but some users may wish
to use the program's TFTP capabilities, making it an undesirable
workaround for them.


ABOUT SWEDISH SECURITY AUDIT GROUP


Swedish Security Audit Group aims to perform security audits of
computer programs written by Swedish developers, and to publish any
vulnerabilities using a responsible full-disclosure approach. It also
aims to publish free documentation in Swedish on how to program
securely.


// Ulf Harnhammar, Swedish Security Audit Group



--
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close