Vulnerabilities > CVE-2005-0490 - Incorrect Calculation of Buffer Size vulnerability in Haxx Curl and Libcurl
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Buffer Overflow via Parameter Expansion In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
Nessus
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-340.NASL description Updated curl packages are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. Multiple buffer overflow bugs were found in the way curl processes base64 encoded replies. If a victim can be tricked into visiting a URL with curl, a malicious web server could execute arbitrary code on a victim last seen 2020-06-01 modified 2020-06-02 plugin id 21805 published 2006-07-03 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21805 title CentOS 3 / 4 : curl (CESA-2005:340) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:340 and # CentOS Errata and Security Advisory 2005:340 respectively. # include("compat.inc"); if (description) { script_id(21805); script_version("1.19"); script_cvs_date("Date: 2019/10/25 13:36:02"); script_cve_id("CVE-2005-0490"); script_xref(name:"RHSA", value:"2005:340"); script_name(english:"CentOS 3 / 4 : curl (CESA-2005:340)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated curl packages are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. Multiple buffer overflow bugs were found in the way curl processes base64 encoded replies. If a victim can be tricked into visiting a URL with curl, a malicious web server could execute arbitrary code on a victim's machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0490 to this issue. All users of curl are advised to upgrade to these updated packages, which contain backported fixes for these issues." ); # https://lists.centos.org/pipermail/centos-announce/2005-April/011531.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?c54131bf" ); # https://lists.centos.org/pipermail/centos-announce/2005-April/011532.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?4c182953" ); # https://lists.centos.org/pipermail/centos-announce/2005-April/011538.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a912cddc" ); # https://lists.centos.org/pipermail/centos-announce/2005-April/011542.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3d96c6e9" ); # https://lists.centos.org/pipermail/centos-announce/2005-April/011545.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?290c9f49" ); script_set_attribute(attribute:"solution", value:"Update the affected curl packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:curl-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/02"); script_set_attribute(attribute:"patch_publication_date", value:"2005/04/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-3", reference:"curl-7.10.6-6.rhel3")) flag++; if (rpm_check(release:"CentOS-3", reference:"curl-devel-7.10.6-6.rhel3")) flag++; if (rpm_check(release:"CentOS-4", reference:"curl-7.12.1-5.rhel4")) flag++; if (rpm_check(release:"CentOS-4", reference:"curl-devel-7.12.1-5.rhel4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl / curl-devel"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200503-20.NASL description The remote host is affected by the vulnerability described in GLSA-200503-20 (curl: NTLM response buffer overflow) curl fails to properly check boundaries when handling NTLM authentication. Impact : With a malicious server an attacker could send a carefully crafted NTLM response to a connecting client leading to the execution of arbitrary code with the permissions of the user running curl. Workaround : Disable NTLM authentication by not using the --anyauth or --ntlm options. last seen 2020-06-01 modified 2020-06-02 plugin id 17345 published 2005-03-17 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17345 title GLSA-200503-20 : curl: NTLM response buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200503-20. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(17345); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-0490"); script_xref(name:"GLSA", value:"200503-20"); script_name(english:"GLSA-200503-20 : curl: NTLM response buffer overflow"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200503-20 (curl: NTLM response buffer overflow) curl fails to properly check boundaries when handling NTLM authentication. Impact : With a malicious server an attacker could send a carefully crafted NTLM response to a connecting client leading to the execution of arbitrary code with the permissions of the user running curl. Workaround : Disable NTLM authentication by not using the --anyauth or --ntlm options." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200503-20" ); script_set_attribute( attribute:"solution", value: "All curl users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-misc/curl-7.13.1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:curl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/03/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/03/17"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/02/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-misc/curl", unaffected:make_list("ge 7.13.1"), vulnerable:make_list("lt 7.13.1"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-340.NASL description Updated curl packages are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. Multiple buffer overflow bugs were found in the way curl processes base64 encoded replies. If a victim can be tricked into visiting a URL with curl, a malicious web server could execute arbitrary code on a victim last seen 2020-06-01 modified 2020-06-02 plugin id 17979 published 2005-04-06 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17979 title RHEL 2.1 / 3 / 4 : curl (RHSA-2005:340) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:340. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(17979); script_version ("1.25"); script_cvs_date("Date: 2019/10/25 13:36:11"); script_cve_id("CVE-2005-0490"); script_xref(name:"RHSA", value:"2005:340"); script_name(english:"RHEL 2.1 / 3 / 4 : curl (RHSA-2005:340)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated curl packages are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. Multiple buffer overflow bugs were found in the way curl processes base64 encoded replies. If a victim can be tricked into visiting a URL with curl, a malicious web server could execute arbitrary code on a victim's machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0490 to this issue. All users of curl are advised to upgrade to these updated packages, which contain backported fixes for these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-0490" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2005:340" ); script_set_attribute( attribute:"solution", value:"Update the affected curl and / or curl-devel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:curl-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/02"); script_set_attribute(attribute:"patch_publication_date", value:"2005/04/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(2\.1|3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1 / 3.x / 4.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2005:340"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"curl-7.8-2.rhel2")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"curl-devel-7.8-2.rhel2")) flag++; if (rpm_check(release:"RHEL3", reference:"curl-7.10.6-6.rhel3")) flag++; if (rpm_check(release:"RHEL3", reference:"curl-devel-7.10.6-6.rhel3")) flag++; if (rpm_check(release:"RHEL4", reference:"curl-7.12.1-5.rhel4")) flag++; if (rpm_check(release:"RHEL4", reference:"curl-devel-7.12.1-5.rhel4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl / curl-devel"); } }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-86-1.NASL description infamous41md discovered a buffer overflow in cURL last seen 2020-06-01 modified 2020-06-02 plugin id 20711 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20711 title Ubuntu 4.10 : curl vulnerability (USN-86-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-86-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(20711); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:33:00"); script_cve_id("CVE-2005-0490"); script_xref(name:"USN", value:"86-1"); script_name(english:"Ubuntu 4.10 : curl vulnerability (USN-86-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "infamous41md discovered a buffer overflow in cURL's NT LAN Manager (NTLM) authentication handling. By sending a specially crafted long NTLM reply packet, a remote attacker could overflow the reply buffer. This could lead to execution of arbitrary attacker specified code with the privileges of the application using the cURL library. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl2-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl2-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl2-gssapi"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10"); script_set_attribute(attribute:"patch_publication_date", value:"2005/02/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(4\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"4.10", pkgname:"curl", pkgver:"7.12.0.is.7.11.2-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"libcurl2", pkgver:"7.12.0.is.7.11.2-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"libcurl2-dbg", pkgver:"7.12.0.is.7.11.2-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"libcurl2-dev", pkgver:"7.12.0.is.7.11.2-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"libcurl2-gssapi", pkgver:"7.12.0.is.7.11.2-1ubuntu0.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl / libcurl2 / libcurl2-dbg / libcurl2-dev / libcurl2-gssapi"); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-048.NASL description 'infamous41md last seen 2020-06-01 modified 2020-06-02 plugin id 17277 published 2005-03-06 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17277 title Mandrake Linux Security Advisory : curl (MDKSA-2005:048) NASL family SuSE Local Security Checks NASL id SUSE_SA_2005_011.NASL description The remote host is missing the patch for the advisory SUSE-SA:2005:011 (curl). [email protected] reported a vulnerability in libcurl, the HTTP/FTP retrieval library. This library is used by lots of programs, including YaST2 and PHP4. The NTLM authorization in curl had a buffer overflow in the base64 decoding which allows a remote attacker using a prepared remote server to execute code for the user using curl. The Kerberos authorization has a similar bug, but is not compiled in on SUSE Linux. This is tracked by the Mitre CVE ID CVE-2005-0490. last seen 2020-06-01 modified 2020-06-02 plugin id 17238 published 2005-03-01 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17238 title SUSE-SA:2005:011: curl NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_96DF5FD0890011D9AA180001020EED82.NASL description Two iDEFENSE Security Advisories reports : An exploitable stack-based buffer overflow condition exists when using NT Lan Manager (NTLM) authentication. The problem specifically exists within Curl_input_ntlm() defined in lib/http_ntlm.c. Successful exploitation allows remote attackers to execute arbitrary code under the privileges of the target user. Exploitation requires that an attacker either coerce or force a target to connect to a malicious server using NTLM authentication. An exploitable stack-based buffer overflow condition exists when using Kerberos authentication. The problem specifically exists within the functions Curl_krb_kauth() and krb4_auth() defined in lib/krb4.c. Successful exploitation allows remote attackers to execute arbitrary code under the privileges of the target user. Exploitation requires that an attacker either coerce or force a target to connect to a malicious server using Kerberos authentication. last seen 2020-06-01 modified 2020-06-02 plugin id 19038 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19038 title FreeBSD : curl -- authentication buffer overflow vulnerability (96df5fd0-8900-11d9-aa18-0001020eed82) NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL4447.NASL description Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication. last seen 2020-06-01 modified 2020-06-02 plugin id 78203 published 2014-10-10 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78203 title F5 Networks BIG-IP : cURL buffer overflow vulnerability (SOL4447)
Oval
| accepted | 2013-04-29T04:04:13.466-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:10273 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication. | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://www.idefense.com/application/poi/display?id=202&type=vulnerabilities
- http://www.idefense.com/application/poi/display?id=203&type=vulnerabilities
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000940
- http://www.gentoo.org/security/en/glsa/glsa-200503-20.xml
- http://www.redhat.com/support/errata/RHSA-2005-340.html
- http://www.novell.com/linux/security/advisories/2005_11_curl.html
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:048
- http://www.securityfocus.com/bid/12615
- http://www.securityfocus.com/bid/12616
- http://marc.info/?l=full-disclosure&m=110959085507755&w=2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/19423
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10273