SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   cURL Vendors:   curl.haxx.se
cURL URL Globbing Flaw Lets Local Users View Portions of System Memory on the Target System
SecurityTracker Alert ID:  1039117
SecurityTracker URL:  http://securitytracker.com/id/1039117
CVE Reference:   CVE-2017-1000101   (Links to External Site)
Date:  Aug 10 2017
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.34.0 - 7.54.1
Description:   A vulnerability was reported in cURL. A local user can obtain potentially sensitive information from system memory.

A local user can supply a URL containing specially crafted numerical range characters to trigger a heap read error and obtain potentially sensitive information from system memory on the target system.

A demonstration exploit URL is provided:

http://ur%20[0-60000000000000000000

The command line tool is affected.

The libcurl library is not affected.

Brian Carpenter and Yongji Ouyang independently reported this vulnerability.

Impact:   A local user can obtain potentially sensitive information from system memory on the target system.
Solution:   The vendor has issued a fix (7.55.0).

The vendor advisory is available at:

https://curl.haxx.se/docs/adv_20170809A.html

Vendor URL:  curl.haxx.se/docs/adv_20170809A.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [oss-security] [SECURITY ADVISORY] curl: URL globbing out of bounds read

URL globbing out of bounds read
===============================

Project curl Security Advisory, August 9th 2017 -
[Permalink](https://curl.haxx.se/docs/adv_20170809A.html)

VULNERABILITY
-------------

curl supports "globbing" of URLs, in which a user can pass a numerical range
to have the tool iterate over those numbers to do a sequence of transfers.

In the globbing function that parses the numerical range, there was an
omission that made curl read a byte beyond the end of the URL if given a
carefully crafted, or just wrongly written, URL. The URL is stored in a heap
based buffer, so it could then be made to wrongly read something else instead
of crashing.

An example of a URL that triggers the flaw would be
`http://ur%20[0-60000000000000000000`.

We are not aware of any exploit of this flaw.

INFO
----

This flaw only affects the curl command line tool, not the libcurl
library. The bug was introduced in commit
[5ca96cb84410270](https://github.com/curl/curl/commit/5ca96cb84410270), August
2013. curl 7.34.0.

For version 7.55.0, the parser properly stops at the end of the string and a
test has been added to verify this.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-1000101 to this issue.

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.34.0 to and including 7.54.1
- Not affected versions: curl < 7.34.0 and >= 7.55.1

curl is used by many applications, but not always advertised as such.

THE SOLUTION
------------

A [patch for CVE-2017-1000101](https://curl.haxx.se/CVE-2017-1000101.patch) is
available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl to version 7.55.0

  B - Apply the patch to your version and rebuild

TIME LINE
---------

It was reported to the curl project on June 14, 2017.  We contacted
distros@openwall on August 1.

curl 7.55.0 was released on August 9 2017, coordinated with the publication of
this advisory.

CREDITS
-------

Reported by Brian Carpenter and Yongji Ouyang (independently of each
other). Patch by Daniel Stenberg.

Thanks a lot!

-- 

  / daniel.haxx.se
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC