cURL URL Globbing Flaw Lets Local Users View Portions of System Memory on the Target System
|
|
SecurityTracker Alert ID: 1039117 |
|
SecurityTracker URL: http://securitytracker.com/id/1039117
|
|
CVE Reference:
CVE-2017-1000101
(Links to External Site)
|
Date: Aug 10 2017
|
Impact:
Disclosure of system information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 7.34.0 - 7.54.1
|
Description:
A vulnerability was reported in cURL. A local user can obtain potentially sensitive information from system memory.
A local user can supply a URL containing specially crafted numerical range characters to trigger a heap read error and obtain potentially sensitive information from system memory on the target system.
A demonstration exploit URL is provided:
http://ur%20[0-60000000000000000000
The command line tool is affected.
The libcurl library is not affected.
Brian Carpenter and Yongji Ouyang independently reported this vulnerability.
|
Impact:
A local user can obtain potentially sensitive information from system memory on the target system.
|
Solution:
The vendor has issued a fix (7.55.0).
The vendor advisory is available at:
https://curl.haxx.se/docs/adv_20170809A.html
|
Vendor URL: curl.haxx.se/docs/adv_20170809A.html (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Subject: [oss-security] [SECURITY ADVISORY] curl: URL globbing out of bounds read
|
URL globbing out of bounds read
===============================
Project curl Security Advisory, August 9th 2017 -
[Permalink](https://curl.haxx.se/docs/adv_20170809A.html)
VULNERABILITY
-------------
curl supports "globbing" of URLs, in which a user can pass a numerical range
to have the tool iterate over those numbers to do a sequence of transfers.
In the globbing function that parses the numerical range, there was an
omission that made curl read a byte beyond the end of the URL if given a
carefully crafted, or just wrongly written, URL. The URL is stored in a heap
based buffer, so it could then be made to wrongly read something else instead
of crashing.
An example of a URL that triggers the flaw would be
`http://ur%20[0-60000000000000000000`.
We are not aware of any exploit of this flaw.
INFO
----
This flaw only affects the curl command line tool, not the libcurl
library. The bug was introduced in commit
[5ca96cb84410270](https://github.com/curl/curl/commit/5ca96cb84410270), August
2013. curl 7.34.0.
For version 7.55.0, the parser properly stops at the end of the string and a
test has been added to verify this.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-1000101 to this issue.
AFFECTED VERSIONS
-----------------
- Affected versions: curl 7.34.0 to and including 7.54.1
- Not affected versions: curl < 7.34.0 and >= 7.55.1
curl is used by many applications, but not always advertised as such.
THE SOLUTION
------------
A [patch for CVE-2017-1000101](https://curl.haxx.se/CVE-2017-1000101.patch) is
available.
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
A - Upgrade curl to version 7.55.0
B - Apply the patch to your version and rebuild
TIME LINE
---------
It was reported to the curl project on June 14, 2017. We contacted
distros@openwall on August 1.
curl 7.55.0 was released on August 9 2017, coordinated with the publication of
this advisory.
CREDITS
-------
Reported by Brian Carpenter and Yongji Ouyang (independently of each
other). Patch by Daniel Stenberg.
Thanks a lot!
--
/ daniel.haxx.se
|
|
