[UNIX] cURL Buffer Overflow (tftp URL)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



cURL Buffer Overflow (tftp URL)
------------------------------------------------------------------------


SUMMARY

" <http://curl.haxx.se/> curl is a command line tool for transferring
files with URL syntax, supporting FTP, FTPS, TFTP, HTTP, HTTPS, TELNET,
DICT, FILE and LDAP. curl supports HTTPS certificates, HTTP POST, HTTP
PUT, FTP uploading, HTTP form based upload, proxies, cookies,
user+password authentication (Basic, Digest, NTLM, Negotiate,
kerberos...), file transfer resume, proxy tunneling and a busload of other
useful tricks."

When cURL fetches a long tftp:// URL with a path that is longer than 512
characters a buffer overflow may be triggered. The URL must start with
"tftp://";, then a valid hostname, then another slash, and then a path and
file name with more than 512 characters.

DETAILS

Vulnerable Systems:
* cURL versions 7.15.0, 7.15.1* and 7.15.2*
* = only on architectures where a certain struct has the same size as on
the x86 architecture

Immune Systems:
* cURL versions 7.15.3 or versions patched with this patch :
<http://curl.haxx.se/libcurl-tftp.patch>
http://curl.haxx.se/libcurl-tftp.patch

Successful exploitation of this vulnerability allows attackers to execute
code within the context of cURL. There are many programs that allow remote
users to access cURL, for instance through its PHP bindings.

If cURL is configured to follow HTTP redirects, for example by using its
-L command line option, any web resource can redirect to a tftp:// URL
that causes this overflow.

Read also cURL's own advisory at:
<http://curl.haxx.se/docs/adv_20060320.html>
http://curl.haxx.se/docs/adv_20060320.html.

Workaround:
If cURL is compiled with "./configure --disable-tftp && make", the whole
TFTP support in the program is disabled. This secures it effectively
against this vulnerability, but some users may wish to use the program's
TFTP capabilities, making it an undesirable workaround for them.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1061>
CVE-2006-1061.


ADDITIONAL INFORMATION

The information has been provided by <mailto:metaur@xxxxxxxxxxxxx> Ulf
Harnhammar.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages