cURL / Mailing Lists / curl-users / Single Mail

curl-users

libcurl NTLM Buffer Overflow Vulnerability

From: Daniel Stenberg <daniel-curl_at_haxx.se>
Date: Thu, 13 Oct 2005 10:50:27 +0200 (CEST)

                   libcurl NTLM Buffer Overflow Vulnerability
                   ==========================================

Project cURL Security Advisory, October 13th 2005
http://curl.haxx.se/docs/security.html

1. VULNERABILITY

libcurl's NTLM function can overflow a stack-based buffer if given a too long
user name or domain name. This would happen if you enable NTLM authentication
and either:

  A - pass in a user name and domain name to libcurl that together are longer
      than 192 bytes

  B - allow (lib)curl to follow HTTP "redirects" (Location: and the appropriate
      HTTP 30x response code) and the new URL contains a URL with a user name
      and domain name that together are longer than 192 bytes

There is no known exploit at the time of this writing.

2. AFFECTED VERSIONS

All versions of libcurl ever released with NTLM capabilities enabled are
vulnerable to this flaw.

libcurl builds with SSPI support (added in version 7.13.2 and only available
on Windows) are NOT affected.

On non-Windows machines, the NTLM support requires the lib to have been built
with OpenSSL support. Therefore: libcurl builds without SSL support or SSL
support provided by GnuTLS are NOT affected.

Affected versions: curl and libcurl 7.10.6 to and including 7.14.1
Not affected versions: curl and libcurl 7.10.5 and earlier, 7.15.0 and later

Also note that (lib)curl is used by many applications, and not always
advertised as such.

3. RECOMMENDATIONS

We *strongly* suggest you take one of the following actions immediately:

  I - Upgrade to curl and libcurl 7.15.0

  II - Apply the patch http://curl.haxx.se/libcurl-ntlmbuf.patch to your
       libcurl version and install this.

  III - Disable NTLM either by not enabling the command line option (to curl)
        or by not using the NTLM-enabling options with libcurl.

4. TIME LINE

We were notified by iDEFENSE at 22:15 local time October 12th 2005.

The notification mail was also sent to the wget camp (as they share pretty
much the same source and thus the same flaw). The mail to the wget project was
sent to a mail alias that is forwarded to a public mailing list with public
archives etc.

The patch was produced within 30 minutes.

A number of distributors and packagers of curl were notified the same evening
and early morning October 13th.

Mailed vendor-sec 09:00 on October 13th

I noticed the "leak" of this flaw at 09:50 October 13th and mailed vendor-sec
about it.

5. CREDITS

Reported to us by iDEFENSE, original discoverer is anonymous

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html
Received on 2005-10-13