cURL / Mailing Lists / curl-users / Single Mail

curl-users

[SECURITY ADVISORY] SMB send off unrelated memory contents

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 17 Jun 2015 08:12:13 +0200 (CEST)

SMB send off unrelated memory contents
======================================

Project cURL Security Advisory, June 17th 2015 -
[Permalink](http://curl.haxx.se/docs/adv_20150617B.html)

VULNERABILITY
-------------

libcurl can get tricked by a malicious SMB server to send off data it did not
intend to.

In libcurl's state machine function handling the SMB protocol
(`smb_request_state()`), two length and offset values are extracted from data
that has arrived over the network, and those values are subsequently used to
figure out what data range to send back.

The values are used and trusted without boundary checks and are just assumed
to be valid. This allows carefully handicrafted packages to trick libcurl into
responding and sending off data that was not intended. Or just crash if the
values cause libcurl to access invalid memory.

We are not aware of any exploit of this flaw.

INFO

----
This flaw can also affect the curl command line tool if a similar operation
series is made with that.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2015-3237 to this issue.
AFFECTED VERSIONS
-----------------
This flaw is relevant for
- Affected versions: libcurl 7.40.0 to and including 7.42.1
- Not affected versions: libcurl < 7.40.0 and libcurl >= 7.43.0
libcurl is used by many applications, but not always advertised as such!
THE SOLUTION
------------
In version 7.43.0, libcurl properly range checks the values before they are
used.
A patch for this problem that changes the default is available at (URL will be
updated in final advisory):
     http://curl.haxx.se/CVE-2015-3237.patch
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
  A - Upgrade curl and libcurl to version 7.43.0
  B - Apply the patch to your version and rebuild
  C - Avoid using the SMB protocol
TIME LINE
---------
It was first brought up with the curl-security team on May 22 2015. We
contacted distros_at_openwall on June 11.
libcurl 7.43.0 was released on June 17 2015, coordinated with the publication
of this advisory.
CREDITS
-------
Spotted by Daniel Stenberg.
Thanks a lot!
-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2015-06-17

This message: [ Message body ]
Next message: Hongyi Zhao: "Using curl to list the entries for a ftp/http site recursively."
Previous message: Daniel Stenberg: "[SECURITY ADVISORY] lingering HTTP credentials in connection re-use"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]