[UNIX] Libneon Date Parsing Vulnerability

• Previous message: SecuriTeam: "[UNIX] osCommerce's File Manager Arbitrary File Disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 19 May 2004 15:25:48 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Libneon Date Parsing Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://www.webdav.org/neon> neon is "an HTTP and WebDAV client library,
with a C interface". A vulnerability within a libneon date parsing
function could cause a heap overflow that could lead to remote code
execution, depending on the application using libneon. OpenOffice and
Subversion *DO NOT* use this function and are therefore not vulnerable to
THIS problem.

DETAILS

Vulnerable Systems:
 * libneon version 0.24.5 and prior

While scanning the libneon source code for common programming errors an
unsafe usage of sscanf() was discovered within one of the date parsing
functions.
 
When a special crafted date string is passed to the ne_rfc1036_parse() it
may trigger a sscanf() string overflow into static heap variables.
Exploitability heavily depends on the application linked against neon but
is considered trivial in cases where an out-of-memory condition can be
triggered, because the overflowing variable is placed in front of the
libneon out-of-memory callback function pointer.
 
Please notice that your application could be vulnerable even if you do not
use ne_rfc1036_parse() directly, because its functionality is used by
several higher level API functions.

Disclosure Timeline:
02. May 2004 - Neon developers were contacted by email
04. May 2004 - Joe Orton has fixed the bug within neon and waits for the
public disclosure date
19. May 2004 - Coordinated Public Disclosure
 
CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0398>
CAN-2004-0398

Recommendation:
Because Subversion and OpenOffice, which are the most important libneon
users, are not using the vulnerable function the issue is rated with a
medium severity. Nevertheless upgrading your neon version is recommended
because other applications could be vulnerable and could expose the
vulnerable function to the outside world.

ADDITIONAL INFORMATION

The information has been provided by <mailto:s.esser@e-matters.de> Stefan
Esser.

The original article can be found at:
<http://security.e-matters.de/advisories/062004.html>
http://security.e-matters.de/advisories/062004.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] osCommerce's File Manager Arbitrary File Disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]