cURL Kerberos authentication buffer overflow

curl-kerberos-bo (19423) The risk level is classified as HighHigh Risk

Description:

cURL is an open-source HTTP client that allows the user to transfer files using URL syntax running on Unix-based operating systems. cURL version 7.12.1 and possibly earlier versions are vulnerable to a stack-based buffer overflow, caused by a vulnerability when the Kerberos authentication in the Curl_krb_kauth and krb4_auth functions in the lib/krb4.c is used. If a user is connected to a malicious server using Kerberos authentication, a remote attacker could send a specially-crafted response containing 1250 bytes to overflow a buffer and execute arbitrary code on the system with user privileges.

Platforms Affected:

  • Canonical, Ubuntu 4.10
  • cURL, cURL 7.12.1
  • Gentoo, Linux
  • MandrakeSoft, Mandrake Linux 10.0 AMD64
  • MandrakeSoft, Mandrake Linux 10.0
  • MandrakeSoft, Mandrake Linux 10.1 X86_64
  • MandrakeSoft, Mandrake Linux 10.1
  • MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
  • MandrakeSoft, Mandrake Linux Corporate Server 3.0
  • Novell, Linux Desktop 9
  • RedHat, Enterprise Linux 2.1 WS
  • RedHat, Enterprise Linux 2.1 ES
  • RedHat, Enterprise Linux 2.1 AS
  • RedHat, Enterprise Linux 3 WS
  • RedHat, Enterprise Linux 3 ES
  • RedHat, Enterprise Linux 3 AS
  • RedHat, Enterprise Linux 3 Desktop
  • RedHat, Enterprise Linux 4 WS
  • RedHat, Enterprise Linux 4 ES
  • RedHat, Enterprise Linux 4 AS
  • RedHat, Enterprise Linux 4 Desktop
  • RedHat, Linux Advanced Workstation 2.1 Itanium
  • SuSE, Linux Enterprise Server 9
  • SuSE, SuSE Linux 9.1
  • SuSE, SuSE Linux 9.2
  • Turbolinux, Turbolinux 10 Desktop
  • Turbolinux, Turbolinux 10 F...
  • Turbolinux, Turbolinux 10 Server
  • Turbolinux, Turbolinux Home
  • Turbolinux, Turbolinux Appliance Server 1.0 Hosting Ed
  • Turbolinux, Turbolinux Appliance Server 1.0 Workgroup Ed

Remedy:

For Gentoo Linux:
Upgrade to the latest version of curl (7.13.1 and later), as listed in Gentoo Linux Security Announcement GLSA 200503-20. See References.

For Red Hat Linux:
Refer to RHSA-2005:340-09 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux:
Refer to USN-86-1 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Refer to SUSE Security Announcement SUSE-SA:2005:011 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

  • CIAC INFORMATION BULLETIN P-167, cURL Security Update at http://www.ciac.org/ciac/bulletins/p-167.shtml.
  • cURL Web page, cURL and libcurl at http://curl.haxx.se/.
  • iDEFENSE Security Advisory 02.21.05, Multiple Unix/Linux Vendor cURL/libcURL Kerberos Authentication Buffer Overflow at http://www.idefense.com/application/poi/display?id=203&type=vulnerabilities.
  • BID-12615: cURL / libcURL NTLM Authentication Buffer Overflow Vulnerability
  • BID-12616: cURL / libcURL Kerberos Authentication Buffer Overflow Vulnerability
  • CVE-2005-0490: Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication.
  • GLSA-200503-20: curl: NTLM response buffer overflow
  • MDKSA-2005:048: Updated curl packages fix vulnerability
  • RHSA-2005-340: curl security update
  • SUSE-SA:2005:011: curl: buffer overflow in NTLM authentication

Reported:

Feb 21, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page