<<< Date Index >>>     <<< Thread Index >>>

Advisory 24/2005: libcurl URL parsing vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-


     Advisory: libcurl URL Parsing Vulnerability
 Release Date: 2005/12/07
Last Modified: 2005/12/07
       Author: Stefan Esser [sesser@xxxxxxxxxxxxxxxx]

  Application: Curl    <= 7.15.0
               libcurl <= 7.15.0
     Severity: When (lib)Curl tries to parse a certain kind of 
               malformed URLs this leads to a heap overflow
         Risk: Low
Vendor Status: Vendor has released an updated version
   References: http://www.hardened-php.net/advisory_242005.109.html


Overview:

   libcurl is a free and easy-to-use client-side URL transfer library, 
   supporting FTP, FTPS, TFTP, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE 
   and LDAP. libcurl supports HTTPS certificates, HTTP POST, HTTP PUT, 
   FTP uploading, HTTP form based upload, proxies, cookies, 
   user+password authentication (Basic, Digest, NTLM, Negotiate, 
   Kerberos4), file transfer resume, http proxy tunneling and more!
    
   During a quick scan of the URL parsing code within libcurl, it was
   discovered, that certain malformed URLs trigger an off-by-one(two)
   bufferoverflow. This may lead to unintended arbitrary code execution.
   
   Because the attacker must be able to force curl to load such an URL,
   which is not possible through a HTTP redirect, the impact is low.
   However a local attacker might use this vulnerability to break out 
   of safe_mode/open_basedir restrictions when PHP is compiled with
   libcurl support.


Details:

   When libcurl parses an URL it first allocates certain buffers for
   the hostname part and the path. As long the URL is short a minimum 
   amount of 256 bytes is allocated for each of these buffers.
   
   When the input URL exceeds the 256 byte limit, libcurl allocates
   the two buffers in a size that is exactly the lenght of the input
   URL. For typical URLs this is enough (although space for the 0
   string termination byte is not allocated). 
   
   The URL is then parsed by a number of sscanf calls. Unfortunately
   certain malformed URLs will result in sscanf copying the complete
   input URL into either the host or the path buffer. Because the
   initial allocation did not allocate the extra space for the 0 byte
   this eventually results in an off by one situation.
   
   While this overflow with one zero byte is already enough to 
   manipulate certain implementaions of malloc()/free(), it is possible
   to cause a two byte overflow by starting a hostname with a ?
   When libcurl finds a ? in the hostname it suspects a malformed URL
   and inserts a path seperator / infront of it. This is performed
   without any kind of size check.
   
   This vulnerability is believed to be only triggerable through direct
   requesting curl to load a malformed URL and NOT through a HTTP
   redirect. Because this is usually not possible for remote attackers, 
   this vulnerability is rated low risk. This vulnerability might
   however be used to break out of PHP's safe_mode/open_basedir when
   it is compiled against libcurl. Additonally such an exploit might be 
   used to steal the local SSL certificate from apache memory.
   

Proof of Concept:

   The Hardened-PHP Project is not going to release an exploit for 
   this vulnerability to the public.


Disclosure Timeline:

   29. November 2005 - Vulnerability was disclosed to the vendor
    6. December 2005 - Vendor has released a bugfixed version
    7. December 2005 - Public Disclosure


Recommendation:

   We strongly recommend to upgrade to the vendor supplied new
   version of curl and libcurl.
      
      curl/libcurl 7.15.1
      http://curl.haxx.se/download.html
      

GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser / Hardened-PHP Project. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFDlqvrRDkUzAqGSqERAvlmAJ9nJbJUh8PrFfUt3Oiuo/R6iPY5RwCgx6Te
kuEfsGf+Sv8AAJlARQPyrhM=
=C/3A
-----END PGP SIGNATURE-----