Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] cURL Buffer Overflow (tftp URL)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] cURL Buffer Overflow (tftp URL)
Date: 23 Mar 2006 14:24:07 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  cURL Buffer Overflow (tftp URL)
------------------------------------------------------------------------


SUMMARY

" <http://curl.haxx.se/> curl is a command line tool for transferring 
files with URL syntax, supporting FTP, FTPS, TFTP, HTTP, HTTPS, TELNET, 
DICT, FILE and LDAP. curl supports HTTPS certificates, HTTP POST, HTTP 
PUT, FTP uploading, HTTP form based upload, proxies, cookies, 
user+password authentication (Basic, Digest, NTLM, Negotiate, 
kerberos...), file transfer resume, proxy tunneling and a busload of other 
useful tricks."

When cURL fetches a long tftp:// URL with a path that is longer than 512 
characters a buffer overflow may be triggered. The URL must start with 
"tftp://";, then a valid hostname, then another slash, and then a path and 
file name with more than 512 characters.

DETAILS

Vulnerable Systems:
 * cURL versions 7.15.0, 7.15.1* and 7.15.2*
* = only on architectures where a certain struct has the same size as on 
the x86 architecture

Immune Systems:
 * cURL versions 7.15.3 or versions patched with this patch : 
<http://curl.haxx.se/libcurl-tftp.patch> 
http://curl.haxx.se/libcurl-tftp.patch

Successful exploitation of this vulnerability allows attackers to execute 
code within the context of cURL. There are many programs that allow remote 
users to access cURL, for instance through its PHP bindings.

If cURL is configured to follow HTTP redirects, for example by using its 
-L command line option, any web resource can redirect to a tftp:// URL 
that causes this overflow.

Read also cURL's own advisory at:
 <http://curl.haxx.se/docs/adv_20060320.html> 
http://curl.haxx.se/docs/adv_20060320.html.

Workaround:
If cURL is compiled with "./configure --disable-tftp && make", the whole 
TFTP support in the program is disabled. This secures it effectively 
against this vulnerability, but some users may wish to use the program's 
TFTP capabilities, making it an undesirable workaround for them.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1061> 
CVE-2006-1061.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:metaur@operamail.com> Ulf 
Harnhammar.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] cURL Buffer Overflow (tftp URL), SecuriTeam <=
Previous by Date:  [NT] Microsoft Office Buffer Overflow in Routing Slip Metadata (MS06-012), SecuriTeam
Next by Date:  [UNIX] Sendmail Memory Leak DoS, SecuriTeam
Previous by Thread:  [NT] Microsoft Office Buffer Overflow in Routing Slip Metadata (MS06-012), SecuriTeam
Next by Thread:  [UNIX] Sendmail Memory Leak DoS, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]