Advisory 06/2004: libneon date parsing vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
e-matters GmbH
www.e-matters.de
-= Security Advisory =-
Advisory: libneon date parsing vulnerability
Release Date: 2004/05/19
Last Modified: 2004/05/19
Author: Stefan Esser [s.esser@xxxxxxxxxxxx]
Application: libneon <= 0.24.5
Severity: A vulnerability within a date parsing function
allows arbitrary code execution
Risk: Medium
Vendor Status: Vendor is releasing a bugfixed version.
Reference: http://security.e-matters.de/advisories/062004.html
Overview:
Quote from: http://www.webdav.org/neon
"neon is an HTTP and WebDAV client library, with a C interface. Featuring:
* High-level interface to HTTP and WebDAV methods (PUT, GET, HEAD etc)
* Low-level interface to HTTP request handling, to allow implementing...
* persistent connections
* RFC2617 basic and digest authentication (including auth-int, md5-sess)
* Proxy support (including basic/digest authentication)
* SSL/TLS support using OpenSSL (including client certificate support)
* Generic WebDAV 207 XML response handling mechanism
* XML parsing using the expat or libxml parsers
* Easy generation of error messages from 207 error responses
* WebDAV resource manipulation: MOVE, COPY, DELETE, MKCOL.
* WebDAV metadata support: set and remove properties, query any set...
* autoconf macros supplied for easily embedding neon directly inside..."
A vulnerability within a libneon date parsing function could cause a
heap overflow which could lead to remote code execution, depending on
the application using libneon.
OpenOffice and Subversion *DO NOT* use this function and are therefore
not vulnerable to THIS problem.
Details:
While scanning the libneon source code for common programming errors
an unsafe usage of sscanf() was discovered within one of the date
parsing functions.
When a special crafted date string is passed to the ne_rfc1036_parse()
it may trigger a sscanf() string overflow into static heap variables.
Exploitability heavily depends on the application linked against neon
but is considered trivial in cases where an out-of-memory condition
can be triggered, because the overflowing variable is placed infront
of the libneon out-of-memory callback function pointer.
Please notice that your application could be vulnerable even if you
do not use ne_rfc1036_parse() directly, because its functionality
is used by several higher level API functions.
Proof of Concept:
e-matters is not going to release an exploit for this vulnerability to
the public.
Disclosure Timeline:
02. May 2004 - Neon developers were contacted by email
04. May 2004 - Joe Orton has fixed the bug within neon and waits
for the public disclosure date
19. May 2004 - Coordinated Public Disclosure
CVE Information:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0398 to this issue.
Recommendation:
Because Subversion and OpenOffice, which are the most important libneon
users, are not using the vulnerable function the issue is rated with a
medium severity. Nevertheless upgrading your neon version is recommended
because other applications could be vulnerable and could expose the
vulnerable function to the outside world.
GPG-Key:
http://security.e-matters.de/gpg_key.asc
pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam
Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC
Copyright 2004 Stefan Esser. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFAqVPIb31XLTAExLwRAoGJAKCp5TcNu2GcHMWXqULTSG3eaAHJ9QCfcIhr
bSituskBxQx4gaw3uOmnjuQ=
=hgrE
-----END PGP SIGNATURE-----
--
--------------------------------------------------------------------------
Stefan Esser s.esser@xxxxxxxxxxxx
e-matters Security http://security.e-matters.de/
GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69
Key fingerprint B418 B290 ACC0 C8E5 8292 8B72 D6B0 7704 CF6C AE69
--------------------------------------------------------------------------
Did I help you? Consider a gift: http://wishlist.suspekt.org/
--------------------------------------------------------------------------