[SSAG#001] :: cURL tftp:// URL Buffer Overflow INTRODUCTION "curl is a command line tool for transferring files with URL syntax, supporting FTP, FTPS, TFTP, HTTP, HTTPS, TELNET, DICT, FILE and LDAP. curl supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume, proxy tunneling and a busload of other useful tricks." It is a very popular program in the Unix world. For more information, see its homepage at http://curl.haxx.se/ . THE VULNERABILITY There is a buffer overflow in cURL when it fetches a long tftp:// URL with a path that is longer than 512 characters. The URL must start with "tftp://", then a valid hostname, then another slash, and then a path and file name with more than 512 characters. Successful exploitation of this vulnerability allows attackers to execute code within the context of cURL. There are many programs that allow remote users to access cURL, for instance through its PHP bindings. If cURL is configured to follow HTTP redirects, for example by using its -L command line option, any web resource can redirect to a tftp:// URL that causes this overflow. The bug has the identifier CVE-2006-1061. It affects cURL 7.15.0, 7.15.1* and 7.15.2*. You are immune if you use older versions or the new 7.15.3. Users that do not want to upgrade to a new version can apply the patch at http://curl.haxx.se/libcurl-tftp.patch . Read also cURL's own advisory at http://curl.haxx.se/docs/adv_20060320.html . * = only on architectures where a certain struct has the same size as on the x86 architecture WORKAROUND If cURL is compiled with "./configure --disable-tftp && make", the whole TFTP support in the program is disabled. This secures it effectively against this vulnerability, but some users may wish to use the program's TFTP capabilities, making it an undesirable workaround for them. ABOUT SWEDISH SECURITY AUDIT GROUP Swedish Security Audit Group aims to perform security audits of computer programs written by Swedish developers, and to publish any vulnerabilities using a responsible full-disclosure approach. It also aims to publish free documentation in Swedish on how to program securely. // Ulf Harnhammar, Swedish Security Audit Group -- _______________________________________________ Surf the Web in a faster, safer and easier way: Download Opera 8 at http://www.opera.com Powered by Outblaze _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/