neon Library Heap Overflow in ne_rfc1036_parse() Date Parsing Function May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1010207|
SecurityTracker URL: http://securitytracker.com/id/1010207
(Links to External Site)
Date: May 19 2004
Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 0.24.5 and prior versions|
A vulnerability was reported in neon in the date parsing function. A remote user can execute arbitrary code on the target system.|
Stefan Esser of e-matters reported that there is a heap overflow in the neon library. A user can reportedly supply a specially crafted date string to the ne_rfc1036_parse() to trigger the overflow.
A remote or local user may be able to execute arbitrary code on the target system. The specific impact depends on the target application that uses the affected neon library function.
The report indicates that OpenOffice and Subversion do not use this function and are not affected.
The original advisory is available at:
A remote user may be able to execute arbitrary code on the target system. The specific impact depends on the target application that uses the affected neon library function.|
The vendor has developed a fixed version (0.24.6), available at:|
Vendor URL: www.webdav.org/neon (Links to External Site)
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
-= Security Advisory =-
Advisory: libneon date parsing vulnerability
Release Date: 2004/05/19
Last Modified: 2004/05/19
Author: Stefan Esser [email@example.com]
Application: libneon <= 0.24.5
Severity: A vulnerability within a date parsing function
allows arbitrary code execution
Vendor Status: Vendor is releasing a bugfixed version.
Quote from: http://www.webdav.org/neon
"neon is an HTTP and WebDAV client library, with a C interface. Featuring:
* High-level interface to HTTP and WebDAV methods (PUT, GET, HEAD etc)
* Low-level interface to HTTP request handling, to allow implementing...
* persistent connections
* RFC2617 basic and digest authentication (including auth-int, md5-sess)
* Proxy support (including basic/digest authentication)
* SSL/TLS support using OpenSSL (including client certificate support)
* Generic WebDAV 207 XML response handling mechanism
* XML parsing using the expat or libxml parsers
* Easy generation of error messages from 207 error responses
* WebDAV resource manipulation: MOVE, COPY, DELETE, MKCOL.
* WebDAV metadata support: set and remove properties, query any set...
* autoconf macros supplied for easily embedding neon directly inside..."
A vulnerability within a libneon date parsing function could cause a
heap overflow which could lead to remote code execution, depending on
the application using libneon.
OpenOffice and Subversion *DO NOT* use this function and are therefore
not vulnerable to THIS problem.
While scanning the libneon source code for common programming errors
an unsafe usage of sscanf() was discovered within one of the date
When a special crafted date string is passed to the ne_rfc1036_parse()
it may trigger a sscanf() string overflow into static heap variables.
Exploitability heavily depends on the application linked against neon
but is considered trivial in cases where an out-of-memory condition
can be triggered, because the overflowing variable is placed infront
of the libneon out-of-memory callback function pointer.
Please notice that your application could be vulnerable even if you
do not use ne_rfc1036_parse() directly, because its functionality
is used by several higher level API functions.
Proof of Concept:
e-matters is not going to release an exploit for this vulnerability to
02. May 2004 - Neon developers were contacted by email
04. May 2004 - Joe Orton has fixed the bug within neon and waits
for the public disclosure date
19. May 2004 - Coordinated Public Disclosure
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0398 to this issue.
Because Subversion and OpenOffice, which are the most important libneon
users, are not using the vulnerable function the issue is rated with a
medium severity. Nevertheless upgrading your neon version is recommended
because other applications could be vulnerable and could expose the
vulnerable function to the outside world.
pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam
Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC
Copyright 2004 Stefan Esser. All rights reserved.