Vulnerabilities > CVE-2005-0490 - Incorrect Calculation of Buffer Size vulnerability in Haxx Curl and Libcurl

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
haxx
CWE-131
nessus

Summary

Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication.

Vulnerable Configurations

Part Description Count
Application
Haxx
2

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.

Nessus

  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-340.NASL
    descriptionUpdated curl packages are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. Multiple buffer overflow bugs were found in the way curl processes base64 encoded replies. If a victim can be tricked into visiting a URL with curl, a malicious web server could execute arbitrary code on a victim
    last seen2020-06-01
    modified2020-06-02
    plugin id21805
    published2006-07-03
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21805
    titleCentOS 3 / 4 : curl (CESA-2005:340)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2005:340 and 
    # CentOS Errata and Security Advisory 2005:340 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(21805);
      script_version("1.19");
      script_cvs_date("Date: 2019/10/25 13:36:02");
    
      script_cve_id("CVE-2005-0490");
      script_xref(name:"RHSA", value:"2005:340");
    
      script_name(english:"CentOS 3 / 4 : curl (CESA-2005:340)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated curl packages are now available.
    
    This update has been rated as having low security impact by the Red
    Hat Security Response Team.
    
    cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and
    Dict servers, using any of the supported protocols. cURL is designed
    to work without user interaction or any kind of interactivity.
    
    Multiple buffer overflow bugs were found in the way curl processes
    base64 encoded replies. If a victim can be tricked into visiting a URL
    with curl, a malicious web server could execute arbitrary code on a
    victim's machine. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the name CVE-2005-0490 to this issue.
    
    All users of curl are advised to upgrade to these updated packages,
    which contain backported fixes for these issues."
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-April/011531.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?c54131bf"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-April/011532.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?4c182953"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-April/011538.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?a912cddc"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-April/011542.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3d96c6e9"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-April/011545.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?290c9f49"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected curl packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:curl-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/04/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-3", reference:"curl-7.10.6-6.rhel3")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"curl-devel-7.10.6-6.rhel3")) flag++;
    
    if (rpm_check(release:"CentOS-4", reference:"curl-7.12.1-5.rhel4")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"curl-devel-7.12.1-5.rhel4")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl / curl-devel");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200503-20.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200503-20 (curl: NTLM response buffer overflow) curl fails to properly check boundaries when handling NTLM authentication. Impact : With a malicious server an attacker could send a carefully crafted NTLM response to a connecting client leading to the execution of arbitrary code with the permissions of the user running curl. Workaround : Disable NTLM authentication by not using the --anyauth or --ntlm options.
    last seen2020-06-01
    modified2020-06-02
    plugin id17345
    published2005-03-17
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17345
    titleGLSA-200503-20 : curl: NTLM response buffer overflow
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200503-20.
    #
    # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(17345);
      script_version("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:42");
    
      script_cve_id("CVE-2005-0490");
      script_xref(name:"GLSA", value:"200503-20");
    
      script_name(english:"GLSA-200503-20 : curl: NTLM response buffer overflow");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200503-20
    (curl: NTLM response buffer overflow)
    
        curl fails to properly check boundaries when handling NTLM
        authentication.
      
    Impact :
    
        With a malicious server an attacker could send a carefully crafted
        NTLM response to a connecting client leading to the execution of
        arbitrary code with the permissions of the user running curl.
      
    Workaround :
    
        Disable NTLM authentication by not using the --anyauth or --ntlm
        options."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200503-20"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All curl users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=net-misc/curl-7.13.1'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:curl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/03/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/03/17");
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/02/21");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-misc/curl", unaffected:make_list("ge 7.13.1"), vulnerable:make_list("lt 7.13.1"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-340.NASL
    descriptionUpdated curl packages are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. Multiple buffer overflow bugs were found in the way curl processes base64 encoded replies. If a victim can be tricked into visiting a URL with curl, a malicious web server could execute arbitrary code on a victim
    last seen2020-06-01
    modified2020-06-02
    plugin id17979
    published2005-04-06
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/17979
    titleRHEL 2.1 / 3 / 4 : curl (RHSA-2005:340)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2005:340. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(17979);
      script_version ("1.25");
      script_cvs_date("Date: 2019/10/25 13:36:11");
    
      script_cve_id("CVE-2005-0490");
      script_xref(name:"RHSA", value:"2005:340");
    
      script_name(english:"RHEL 2.1 / 3 / 4 : curl (RHSA-2005:340)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated curl packages are now available.
    
    This update has been rated as having low security impact by the Red
    Hat Security Response Team.
    
    cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and
    Dict servers, using any of the supported protocols. cURL is designed
    to work without user interaction or any kind of interactivity.
    
    Multiple buffer overflow bugs were found in the way curl processes
    base64 encoded replies. If a victim can be tricked into visiting a URL
    with curl, a malicious web server could execute arbitrary code on a
    victim's machine. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the name CVE-2005-0490 to this issue.
    
    All users of curl are advised to upgrade to these updated packages,
    which contain backported fixes for these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-0490"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2005:340"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected curl and / or curl-devel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:curl-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/04/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(2\.1|3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1 / 3.x / 4.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2005:340";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"curl-7.8-2.rhel2")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"curl-devel-7.8-2.rhel2")) flag++;
    
      if (rpm_check(release:"RHEL3", reference:"curl-7.10.6-6.rhel3")) flag++;
      if (rpm_check(release:"RHEL3", reference:"curl-devel-7.10.6-6.rhel3")) flag++;
    
      if (rpm_check(release:"RHEL4", reference:"curl-7.12.1-5.rhel4")) flag++;
      if (rpm_check(release:"RHEL4", reference:"curl-devel-7.12.1-5.rhel4")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl / curl-devel");
      }
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-86-1.NASL
    descriptioninfamous41md discovered a buffer overflow in cURL
    last seen2020-06-01
    modified2020-06-02
    plugin id20711
    published2006-01-15
    reporterUbuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20711
    titleUbuntu 4.10 : curl vulnerability (USN-86-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-86-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(20711);
      script_version("1.20");
      script_cvs_date("Date: 2019/08/02 13:33:00");
    
      script_cve_id("CVE-2005-0490");
      script_xref(name:"USN", value:"86-1");
    
      script_name(english:"Ubuntu 4.10 : curl vulnerability (USN-86-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "infamous41md discovered a buffer overflow in cURL's NT LAN Manager
    (NTLM) authentication handling. By sending a specially crafted long
    NTLM reply packet, a remote attacker could overflow the reply buffer.
    This could lead to execution of arbitrary attacker specified code with
    the privileges of the application using the cURL library.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl2-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl2-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl2-gssapi");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/02/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(4\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"4.10", pkgname:"curl", pkgver:"7.12.0.is.7.11.2-1ubuntu0.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"libcurl2", pkgver:"7.12.0.is.7.11.2-1ubuntu0.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"libcurl2-dbg", pkgver:"7.12.0.is.7.11.2-1ubuntu0.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"libcurl2-dev", pkgver:"7.12.0.is.7.11.2-1ubuntu0.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"libcurl2-gssapi", pkgver:"7.12.0.is.7.11.2-1ubuntu0.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl / libcurl2 / libcurl2-dbg / libcurl2-dev / libcurl2-gssapi");
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-048.NASL
    description'infamous41md
    last seen2020-06-01
    modified2020-06-02
    plugin id17277
    published2005-03-06
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17277
    titleMandrake Linux Security Advisory : curl (MDKSA-2005:048)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2005_011.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2005:011 (curl). [email protected] reported a vulnerability in libcurl, the HTTP/FTP retrieval library. This library is used by lots of programs, including YaST2 and PHP4. The NTLM authorization in curl had a buffer overflow in the base64 decoding which allows a remote attacker using a prepared remote server to execute code for the user using curl. The Kerberos authorization has a similar bug, but is not compiled in on SUSE Linux. This is tracked by the Mitre CVE ID CVE-2005-0490.
    last seen2020-06-01
    modified2020-06-02
    plugin id17238
    published2005-03-01
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17238
    titleSUSE-SA:2005:011: curl
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_96DF5FD0890011D9AA180001020EED82.NASL
    descriptionTwo iDEFENSE Security Advisories reports : An exploitable stack-based buffer overflow condition exists when using NT Lan Manager (NTLM) authentication. The problem specifically exists within Curl_input_ntlm() defined in lib/http_ntlm.c. Successful exploitation allows remote attackers to execute arbitrary code under the privileges of the target user. Exploitation requires that an attacker either coerce or force a target to connect to a malicious server using NTLM authentication. An exploitable stack-based buffer overflow condition exists when using Kerberos authentication. The problem specifically exists within the functions Curl_krb_kauth() and krb4_auth() defined in lib/krb4.c. Successful exploitation allows remote attackers to execute arbitrary code under the privileges of the target user. Exploitation requires that an attacker either coerce or force a target to connect to a malicious server using Kerberos authentication.
    last seen2020-06-01
    modified2020-06-02
    plugin id19038
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/19038
    titleFreeBSD : curl -- authentication buffer overflow vulnerability (96df5fd0-8900-11d9-aa18-0001020eed82)
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL4447.NASL
    descriptionMultiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication.
    last seen2020-06-01
    modified2020-06-02
    plugin id78203
    published2014-10-10
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78203
    titleF5 Networks BIG-IP : cURL buffer overflow vulnerability (SOL4447)

Oval

accepted2013-04-29T04:04:13.466-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionMultiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication.
familyunix
idoval:org.mitre.oval:def:10273
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleMultiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication.
version26

Redhat

advisories
rhsa
idRHSA-2005:340
rpms
  • curl-0:7.10.6-6.rhel3
  • curl-0:7.12.1-5.rhel4
  • curl-debuginfo-0:7.10.6-6.rhel3
  • curl-debuginfo-0:7.12.1-5.rhel4
  • curl-devel-0:7.10.6-6.rhel3
  • curl-devel-0:7.12.1-5.rhel4

References