SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   curl Vendors:   curl.haxx.se
cURL URL Globbing Flaw Lets Local Users View Portions of System Memory on the Target System
SecurityTracker Alert ID:  1039117
SecurityTracker URL:  http://securitytracker.com/id/1039117
CVE Reference:   CVE-2017-1000101   (Links to External Site)
Date:  Aug 10 2017
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.34.0 - 7.54.1
Description:   A vulnerability was reported in cURL. A local user can obtain potentially sensitive information from system memory.

A local user can supply a URL containing specially crafted numerical range characters to trigger a heap read error and obtain potentially sensitive information from system memory on the target system.

A demonstration exploit URL is provided:

http://ur%20[0-60000000000000000000

The command line tool is affected.

The libcurl library is not affected.

Brian Carpenter and Yongji Ouyang independently reported this vulnerability.

Impact:   A local user can obtain potentially sensitive information from system memory on the target system.
Solution:   The vendor has issued a fix (7.55.0).

The vendor advisory is available at:

https://curl.haxx.se/docs/adv_20170809A.html

Vendor URL:  curl.haxx.se/docs/adv_20170809A.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 11 2017 (Ubuntu Issues Fix) cURL URL Globbing Flaw Lets Local Users View Portions of System Memory on the Target System
Ubuntu has issued a fix for Ubuntu Linux 14.04 LTS, 16.04 LTS, and 17.04.
Oct 24 2017 (Ubuntu Issues Fix) cURL URL Globbing Flaw Lets Local Users View Portions of System Memory on the Target System
Ubuntu has issued a fix for Ubuntu Linux 12.04 ESM.



 Source Message Contents

Subject:  [oss-security] [SECURITY ADVISORY] curl: URL globbing out of bounds read

URL globbing out of bounds read
===============================

Project curl Security Advisory, August 9th 2017 -
[Permalink](https://curl.haxx.se/docs/adv_20170809A.html)

VULNERABILITY
-------------

curl supports "globbing" of URLs, in which a user can pass a numerical range
to have the tool iterate over those numbers to do a sequence of transfers.

In the globbing function that parses the numerical range, there was an
omission that made curl read a byte beyond the end of the URL if given a
carefully crafted, or just wrongly written, URL. The URL is stored in a heap
based buffer, so it could then be made to wrongly read something else instead
of crashing.

An example of a URL that triggers the flaw would be
`http://ur%20[0-60000000000000000000`.

We are not aware of any exploit of this flaw.

INFO
----

This flaw only affects the curl command line tool, not the libcurl
library. The bug was introduced in commit
[5ca96cb84410270](https://github.com/curl/curl/commit/5ca96cb84410270), August
2013. curl 7.34.0.

For version 7.55.0, the parser properly stops at the end of the string and a
test has been added to verify this.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-1000101 to this issue.

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.34.0 to and including 7.54.1
- Not affected versions: curl < 7.34.0 and >= 7.55.1

curl is used by many applications, but not always advertised as such.

THE SOLUTION
------------

A [patch for CVE-2017-1000101](https://curl.haxx.se/CVE-2017-1000101.patch) is
available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl to version 7.55.0

  B - Apply the patch to your version and rebuild

TIME LINE
---------

It was reported to the curl project on June 14, 2017.  We contacted
distros@openwall on August 1.

curl 7.55.0 was released on August 9 2017, coordinated with the publication of
this advisory.

CREDITS
-------

Reported by Brian Carpenter and Yongji Ouyang (independently of each
other). Patch by Daniel Stenberg.

Thanks a lot!

-- 

  / daniel.haxx.se
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC