[UNIX] Libneon Date Parsing Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 05/19/04

  • Next message: SecuriTeam: "[UNIX] CVS Entry Line Flag Heap Overflow"
    To: list@securiteam.com
    Date: 19 May 2004 15:25:48 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Libneon Date Parsing Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.webdav.org/neon> neon is "an HTTP and WebDAV client library,
    with a C interface". A vulnerability within a libneon date parsing
    function could cause a heap overflow that could lead to remote code
    execution, depending on the application using libneon. OpenOffice and
    Subversion *DO NOT* use this function and are therefore not vulnerable to
    THIS problem.

    DETAILS

    Vulnerable Systems:
     * libneon version 0.24.5 and prior

    While scanning the libneon source code for common programming errors an
    unsafe usage of sscanf() was discovered within one of the date parsing
    functions.
     
    When a special crafted date string is passed to the ne_rfc1036_parse() it
    may trigger a sscanf() string overflow into static heap variables.
    Exploitability heavily depends on the application linked against neon but
    is considered trivial in cases where an out-of-memory condition can be
    triggered, because the overflowing variable is placed in front of the
    libneon out-of-memory callback function pointer.
     
    Please notice that your application could be vulnerable even if you do not
    use ne_rfc1036_parse() directly, because its functionality is used by
    several higher level API functions.

    Disclosure Timeline:
    02. May 2004 - Neon developers were contacted by email
    04. May 2004 - Joe Orton has fixed the bug within neon and waits for the
    public disclosure date
    19. May 2004 - Coordinated Public Disclosure
     
    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0398>
    CAN-2004-0398

    Recommendation:
    Because Subversion and OpenOffice, which are the most important libneon
    users, are not using the vulnerable function the issue is rated with a
    medium severity. Nevertheless upgrading your neon version is recommended
    because other applications could be vulnerable and could expose the
    vulnerable function to the outside world.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:s.esser@e-matters.de> Stefan
    Esser.

    The original article can be found at:
    <http://security.e-matters.de/advisories/062004.html>
    http://security.e-matters.de/advisories/062004.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] CVS Entry Line Flag Heap Overflow"