While trying to reproduce libcurl SASL buffer overflow (as noted in advisory: http://curl.haxx.se/docs/adv_20130206.html) using SMTP, I encountered a separate problem that causes cURL to terminate when processing base64 encoded Digest-MD5 challenges.
Program received signal SIGSEGV, Segmentation fault.
__strstr_sse2 (haystack_start=0x0, needle_start=0x7ffff7bcf9ae "nonce=\"") at ../string/strstr.c:63
(gdb) bt
0 __strstr_sse2 (haystack_start=0x0, needle_start=0x7ffff7bcf9ae "nonce=\"") at ../string/strstr.c:63
1 0x00007ffff7bc624f in sasl_digest_get_key_value () from /usr/local/lib/libcurl.so.4
2 0x00007ffff7bc68d9 in Curl_sasl_create_digest_md5_message () from usr/local/lib/libcurl.so.4
3 0x00007ffff7bc1247 in smtp_statemach_act () from /usr/local/lib/libcurl.so.4
4 0x00007ffff7bc02c6 in smtp_multi_statemach () from /usr/local/lib/libcurl.so.4
5 0x00007ffff7bb4adf in multi_runsingle () from /usr/local/lib/libcurl.so.4
6 0x00007ffff7bb54e5 in curl_multi_perform () from /usr/local/lib/libcurl.so.4
7 0x00007ffff7bae3ed in curl_easy_perform () from /usr/local/lib/libcurl.so.4
8 0x0000000000409e87 in operate ()
9 0x000000000040229a in main ()
The following message exchange between cURL and smtp server should reproduce the problem:
< 220 dhcp164.vrt.telus.com ESMTP (Ubuntu)
EHLO .
< 250-dhcp164.vrt.telus.com Hello .
< 250 AUTH DIGEST-MD5
AUTH DIGEST-MD5
< 334
< eA==
When the server sends any base 64 encoded string, in this case "eA==", cURL crashes.
The problem is because "chlg" is returned as NULL after function call to Curl_base64_decode() in function Curl_sasl_create_digest_md5_message() in libs/curl_sasl.c.
Tested using:
curl 7.29.1-DEV (x86_64-unknown-linux-gnu) libcurl/7.29.1-DEV cURL -L was used to connect to a http url containing the smtp redirect.
Compiled from:
git rev-parse HEAD: 463082bea42d8bea751303da340218a18fb67e85
Patch:
diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
index d07387d..4d13263 100644
--- a/lib/curl_sasl.c
+++ b/lib/curl_sasl.c
@@ -283,6 +283,9 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
if(result)
return result;
I'm not on any mailing list. Please contact me using email directly if I can be of any further assistance.
Cheers,
Saran Neti,
Vulnerability Researcher, Telus Security Labs
Thanks, this is now fixed in git with commit e6c1e773d9e506e.