cURL / Mailing Lists / curl-users / Single Mail

curl-users

[ curl-Bugs-783142 ] Curl buffer overflow bug "User-Agent / URL" leaks local info

From: SourceForge.net <noreply_at_sourceforge.net>
Date: Mon, 04 Aug 2003 15:25:21 -0700

Bugs item #783142, was opened at 2003-08-04 15:25
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=783142&group_id=976

Category: package
Group: bad behaviour
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Daniel Stenberg (bagder)
Summary: Curl buffer overflow bug "User-Agent / URL" leaks local info

Initial Comment:
Hi,

I appear to have discovered that there is a buffer
overflow bug in Curl (Win32) and possibly other versions
when either a long User-Agent or URL is used (or both).

I tested the following with Curl 7.8 (win32) libcurl 7.8
(no SSL), I wanted to test this on the latest version just
released however for some reasons I was unable to get
*any* of the newer Win32 versions to work on this PC
after downloading them from the Curl homepage ! So
this might have been fixed in a more recent version.

Demostration of the bug
-----------------------
1)Locate a Win32 machine with a copy of Curl (win32)
2)First create a unique folder, e.g. D:\bufferoverflow
3)Run the following command-line:

curl.exe -vv -
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEN
DTEXT http://www.curlsitetotest.com/BBBBBBBBB

Note how the folder name is "leaked" to the webserver
log file:

192.168.0.10 - - [04/Aug/2003:22:43:40
+0100] "GET /D:bufferoverflow HTTP/1.1" 404 288 "-
" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAA

You can also see this in http info returned by Curl:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /D:bufferoverflow was not found on
this server.<P>
<HR>
<ADDRESS>Apache/1.3.27 Server at webserver Port
80</ADDRESS>
</BODY></HTML>
 

Thanks to Paul J. Marsh his for assistance by the loan of
his webserver (rather than mine) to help document this.

Regards

Richard L. James ( richard_l_james_at_yahoo.co.uk )
http://www.wimborne.org/richard/

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=783142&group_id=976

-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
Received on 2003-08-05