-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 e-matters GmbH www.e-matters.de -= Security Advisory =- Advisory: libneon date parsing vulnerability Release Date: 2004/05/19 Last Modified: 2004/05/19 Author: Stefan Esser [s.esser@e-matters.de] Application: libneon <= 0.24.5 Severity: A vulnerability within a date parsing function allows arbitrary code execution Risk: Medium Vendor Status: Vendor is releasing a bugfixed version. Reference: http://security.e-matters.de/advisories/062004.html Overview: Quote from: http://www.webdav.org/neon "neon is an HTTP and WebDAV client library, with a C interface. Featuring: * High-level interface to HTTP and WebDAV methods (PUT, GET, HEAD etc) * Low-level interface to HTTP request handling, to allow implementing... * persistent connections * RFC2617 basic and digest authentication (including auth-int, md5-sess) * Proxy support (including basic/digest authentication) * SSL/TLS support using OpenSSL (including client certificate support) * Generic WebDAV 207 XML response handling mechanism * XML parsing using the expat or libxml parsers * Easy generation of error messages from 207 error responses * WebDAV resource manipulation: MOVE, COPY, DELETE, MKCOL. * WebDAV metadata support: set and remove properties, query any set... * autoconf macros supplied for easily embedding neon directly inside..." A vulnerability within a libneon date parsing function could cause a heap overflow which could lead to remote code execution, depending on the application using libneon. OpenOffice and Subversion *DO NOT* use this function and are therefore not vulnerable to THIS problem. Details: While scanning the libneon source code for common programming errors an unsafe usage of sscanf() was discovered within one of the date parsing functions. When a special crafted date string is passed to the ne_rfc1036_parse() it may trigger a sscanf() string overflow into static heap variables. Exploitability heavily depends on the application linked against neon but is considered trivial in cases where an out-of-memory condition can be triggered, because the overflowing variable is placed infront of the libneon out-of-memory callback function pointer. Please notice that your application could be vulnerable even if you do not use ne_rfc1036_parse() directly, because its functionality is used by several higher level API functions. Proof of Concept: e-matters is not going to release an exploit for this vulnerability to the public. Disclosure Timeline: 02. May 2004 - Neon developers were contacted by email 04. May 2004 - Joe Orton has fixed the bug within neon and waits for the public disclosure date 19. May 2004 - Coordinated Public Disclosure CVE Information: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0398 to this issue. Recommendation: Because Subversion and OpenOffice, which are the most important libneon users, are not using the vulnerable function the issue is rated with a medium severity. Nevertheless upgrading your neon version is recommended because other applications could be vulnerable and could expose the vulnerable function to the outside world. GPG-Key: http://security.e-matters.de/gpg_key.asc pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC Copyright 2004 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFAqVPIb31XLTAExLwRAoGJAKCp5TcNu2GcHMWXqULTSG3eaAHJ9QCfcIhr bSituskBxQx4gaw3uOmnjuQ= =hgrE -----END PGP SIGNATURE-----