SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   neon Vendors:   webdav.org
neon Library Heap Overflow in ne_rfc1036_parse() Date Parsing Function May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1010207
SecurityTracker URL:  http://securitytracker.com/id/1010207
CVE Reference:   CVE-2004-0398   (Links to External Site)
Date:  May 19 2004
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.24.5 and prior versions
Description:   A vulnerability was reported in neon in the date parsing function. A remote user can execute arbitrary code on the target system.

Stefan Esser of e-matters reported that there is a heap overflow in the neon library. A user can reportedly supply a specially crafted date string to the ne_rfc1036_parse() to trigger the overflow.

A remote or local user may be able to execute arbitrary code on the target system. The specific impact depends on the target application that uses the affected neon library function.

The report indicates that OpenOffice and Subversion do not use this function and are not affected.

The original advisory is available at:

http://security.e-matters.de/advisories/062004.html

Impact:   A remote user may be able to execute arbitrary code on the target system. The specific impact depends on the target application that uses the affected neon library function.
Solution:   The vendor has developed a fixed version (0.24.6), available at:

http://www.webdav.org/neon/neon-0.24.6.tar.gz

Vendor URL:  www.webdav.org/neon (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 19 2004 (Red Hat Issues Fix for Cadaver) neon Library Heap Overflow in ne_rfc1036_parse() Date Parsing Function May Let Remote Users Execute Arbitrary Code
Red Hat has released a fix for Cadaver for Red Hat Linux 2.1.
May 19 2004 (Debian Issues Fix) neon Library Heap Overflow in ne_rfc1036_parse() Date Parsing Function May Let Remote Users Execute Arbitrary Code
Debian has released a fix.
May 19 2004 (Debian Issues Fix for cadaver) neon Library Heap Overflow in ne_rfc1036_parse() Date Parsing Function May Let Remote Users Execute Arbitrary Code
Debian has released a fix for cadaver.
May 19 2004 (Mandrake Issues Fix) neon Library Heap Overflow in ne_rfc1036_parse() Date Parsing Function May Let Remote Users Execute Arbitrary Code
Mandrake has released a fix.
May 19 2004 (Fedora Issues Fix for FC1) neon Library Heap Overflow in ne_rfc1036_parse() Date Parsing Function May Let Remote Users Execute Arbitrary Code
Fedora has released a fix for FC1.
May 20 2004 (Fedora Issues Fix for FC2) neon Library Heap Overflow in ne_rfc1036_parse() Date Parsing Function May Let Remote Users Execute Arbitrary Code
Fedora has released a fix for FC2.
May 20 2004 (Gentoo Issues Fix) neon Library Heap Overflow in ne_rfc1036_parse() Date Parsing Function May Let Remote Users Execute Arbitrary Code
Gentoo has released a fix.
May 20 2004 (Gentoo Issues Fix) neon Library Heap Overflow in ne_rfc1036_parse() Date Parsing Function May Let Remote Users Execute Arbitrary Code
Gentoo has released a fix.
May 25 2004 (Conectiva Issues Fix) neon Library Heap Overflow in ne_rfc1036_parse() Date Parsing Function May Let Remote Users Execute Arbitrary Code
Conectiva has released a fix.
May 31 2004 (Gentoo Issues Fix for GNU Arch) neon Library Heap Overflow in ne_rfc1036_parse() Date Parsing Function May Let Remote Users Execute Arbitrary Code
Gentoo has released a fix for GNU Arch (tla).
Jun 7 2004 (Gentoo Issues Advisory for Sitecopy) neon Library Heap Overflow in ne_rfc1036_parse() Date Parsing Function May Let Remote Users Execute Arbitrary Code
Gentoo has released an advisory for sitecopy.
Jul 30 2004 (Mandrake Issues Fix for OpenOffice) neon Library Heap Overflow in ne_rfc1036_parse() Date Parsing Function May Let Remote Users Execute Arbitrary Code
Mandrake has released a fix.
Sep 29 2004 (Red Hat Issues Fix for Cadaver for RH Linux) neon Library Heap Overflow in ne_rfc1036_parse() Date Parsing Function May Let Remote Users Execute Arbitrary Code
Red Hat has issued a fix for Cadaver on Red Hat Linux 7.3 and 9.



 Source Message Contents

Subject:  http://security.e-matters.de/advisories/062004.html


http://security.e-matters.de/advisories/062004.html

                            e-matters GmbH
                           www.e-matters.de

                       -= Security  Advisory =-



      Advisory: libneon date parsing vulnerability
  Release Date: 2004/05/19
Last Modified: 2004/05/19
        Author: Stefan Esser [s.esser@e-matters.de]

   Application: libneon <= 0.24.5
      Severity: A vulnerability within a date parsing function
                allows arbitrary code execution
          Risk: Medium
Vendor Status: Vendor is releasing a bugfixed version.
     Reference: http://security.e-matters.de/advisories/062004.html


Overview:

    Quote from: http://www.webdav.org/neon

    "neon is an HTTP and WebDAV client library, with a C interface. Featuring:

     * High-level interface to HTTP and WebDAV methods (PUT, GET, HEAD etc)
     * Low-level interface to HTTP request handling, to allow implementing...
     * persistent connections
     * RFC2617 basic and digest authentication (including auth-int, md5-sess)
     * Proxy support (including basic/digest authentication)
     * SSL/TLS support using OpenSSL (including client certificate support)
     * Generic WebDAV 207 XML response handling mechanism
     * XML parsing using the expat or libxml parsers
     * Easy generation of error messages from 207 error responses
     * WebDAV resource manipulation: MOVE, COPY, DELETE, MKCOL.
     * WebDAV metadata support: set and remove properties, query any set...
     * autoconf macros supplied for easily embedding neon directly inside..."

    A vulnerability within a libneon date parsing function could cause a
    heap overflow which could lead to remote code execution, depending on
    the application using libneon.

    OpenOffice and Subversion *DO NOT* use this function and are therefore
    not vulnerable to THIS problem.


Details:

    While scanning the libneon source code for common programming errors
    an unsafe usage of sscanf() was discovered within one of the date
    parsing functions.

    When a special crafted date string is passed to the ne_rfc1036_parse()
    it may trigger a sscanf() string overflow into static heap variables.
    Exploitability heavily depends on the application linked against neon
    but is considered trivial in cases where an out-of-memory condition
    can be triggered, because the overflowing variable is placed infront
    of the libneon out-of-memory callback function pointer.

    Please notice that your application could be vulnerable even if you
    do not use ne_rfc1036_parse() directly, because its functionality
    is used by several higher level API functions.


Proof of Concept:

    e-matters is not going to release an exploit for this vulnerability to
    the public.


Disclosure Timeline:

    02. May 2004 - Neon developers were contacted by email
    04. May 2004 - Joe Orton has fixed the bug within neon and waits
                   for the public disclosure date
    19. May 2004 - Coordinated Public Disclosure


CVE Information:

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CAN-2004-0398 to this issue.


Recommendation:

    Because Subversion and OpenOffice, which are the most important libneon
    users, are not using the vulnerable function the issue is rated with a
    medium severity. Nevertheless upgrading your neon version is recommended
    because other applications could be vulnerable and could expose the
    vulnerable function to the outside world.


GPG-Key:

    http://security.e-matters.de/gpg_key.asc

    pub  1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam
    Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA  A71A 6F7D 572D 3004 C4BC


Copyright 2004 Stefan Esser. All rights reserved.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC