Vulnerabilities > CVE-2005-4077 - Numeric Errors vulnerability in Daniel Stenberg Curl
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a "?" separator in the hostname portion, which causes a "/" to be prepended to the resulting string.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 11 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2005-1136.NASL description This package fixes a security buffer overflow bug in URL authentication code of curl (CVE-2005-4077), previous patch did not fix this problem completely. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20304 published 2005-12-15 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20304 title Fedora Core 3 : curl-7.12.3-6.fc3 (2005-1136) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200512-09.NASL description The remote host is affected by the vulnerability described in GLSA-200512-09 (cURL: Off-by-one errors in URL handling) Stefan Esser from the Hardened-PHP Project has reported a vulnerability in cURL that allows for a local buffer overflow when cURL attempts to parse specially crafted URLs. The URL can be specially crafted in one of two ways: the URL could be malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer; or the URL could contain a last seen 2020-06-01 modified 2020-06-02 plugin id 20329 published 2005-12-20 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20329 title GLSA-200512-09 : cURL: Off-by-one errors in URL handling NASL family Fedora Local Security Checks NASL id FEDORA_2005-1137.NASL description This package fixes a security buffer overflow bug in URL authentication code of curl (CVE-2005-4077), previous patch did not fix this problem completely. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20305 published 2005-12-15 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20305 title Fedora Core 4 : curl-7.13.1-5.fc4 (2005-1137) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-919.NASL description The upstream developer of curl, a multi-protocol file transfer library, informed us that the former correction to several off-by-one errors are not sufficient. For completeness please find the original bug description below : Several problems were discovered in libcurl, a multi-protocol file transfer library. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-3185 A buffer overflow has been discovered in libcurl that could allow the execution of arbitrary code. - CVE-2005-4077 Stefan Esser discovered several off-by-one errors that allows local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs. last seen 2020-06-01 modified 2020-06-02 plugin id 22785 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22785 title Debian DSA-919-2 : curl - buffer overflow NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2006-003.NASL description The remote host is running Apple Mac OS X, but lacks Security Update 2006-003. This security update contains fixes for the following applications : AppKit ImageIO BOM CFNetwork ClamAV (Mac OS X Server only) CoreFoundation CoreGraphics Finder FTPServer Flash Player KeyCHain LaunchServices libcurl Mail MySQL Manager (Mac OS X Server only) Preview QuickDraw QuickTime Streaming Server Ruby Safari last seen 2020-06-01 modified 2020-06-02 plugin id 21341 published 2006-05-12 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21341 title Mac OS X Multiple Vulnerabilities (Security Update 2006-003) NASL family Fedora Local Security Checks NASL id FEDORA_2005-1130.NASL description This package fixes a security buffer overflow bug in URL authentication code of curl (CVE-2005-4077). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20290 published 2005-12-11 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20290 title Fedora Core 3 : curl-7.12.3-5.fc3 (2005-1130) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2008-002.NASL description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-002 applied. This update contains several security fixes for a number of programs. last seen 2020-06-01 modified 2020-06-02 plugin id 31605 published 2008-03-19 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31605 title Mac OS X Multiple Vulnerabilities (Security Update 2008-002) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-875.NASL description Updated curl packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. Stefan Esser discovered an off-by-one bug in curl. It may be possible to execute arbitrary code on a user last seen 2020-06-01 modified 2020-06-02 plugin id 20364 published 2005-12-30 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20364 title RHEL 4 : curl (RHSA-2005:875) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_9B4FACEC676111DA99F600123FFE8333.NASL description A Project cURL Security Advisory reports : libcurl last seen 2020-06-01 modified 2020-06-02 plugin id 21483 published 2006-05-13 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21483 title FreeBSD : curl -- URL buffer overflow vulnerability (9b4facec-6761-11da-99f6-00123ffe8333) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-875.NASL description Updated curl packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. Stefan Esser discovered an off-by-one bug in curl. It may be possible to execute arbitrary code on a user last seen 2020-06-01 modified 2020-06-02 plugin id 21973 published 2006-07-05 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21973 title CentOS 4 : curl (CESA-2005:875) NASL family Fedora Local Security Checks NASL id FEDORA_2005-1129.NASL description This package fixes a security buffer overflow bug in URL authentication code of curl (CVE-2005-4077). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20289 published 2005-12-11 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20289 title Fedora Core 4 : curl-7.13.1-4.fc4 (2005-1129) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-228-1.NASL description Stefan Esser discovered several buffer overflows in the handling of URLs. By attempting to load an URL with a specially crafted invalid hostname, a local attacker could exploit this to execute arbitrary code with the privileges of the application that uses the cURL library. It is not possible to trick cURL into loading a malicious URL with an HTTP redirect, so this vulnerability was usually not exploitable remotely. However, it could be exploited locally to e. g. circumvent PHP security restrictions. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20771 published 2006-01-21 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20771 title Ubuntu 4.10 / 5.04 / 5.10 : curl vulnerability (USN-228-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200603-25.NASL description The remote host is affected by the vulnerability described in GLSA-200603-25 (OpenOffice.org: Heap overflow in included libcurl) OpenOffice.org includes libcurl code. This libcurl code is vulnerable to a heap overflow when it tries to parse a URL that exceeds a 256-byte limit (GLSA 200512-09). Impact : An attacker could entice a user to call a specially crafted URL with OpenOffice.org, potentially resulting in the execution of arbitrary code with the rights of the user running the application. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 21160 published 2006-03-28 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21160 title GLSA-200603-25 : OpenOffice.org: Heap overflow in included libcurl NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-224.NASL description Stefan Esser discovered that libcurl last seen 2020-06-01 modified 2020-06-02 plugin id 20455 published 2006-01-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20455 title Mandrake Linux Security Advisory : curl (MDKSA-2005:224)
Oval
| accepted | 2013-04-29T04:09:24.402-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a "?" separator in the hostname portion, which causes a "/" to be prepended to the resulting string. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:10855 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a "?" separator in the hostname portion, which causes a "/" to be prepended to the resulting string. | ||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||
| rpms |
|
References
- ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.16/SCOSA-2006.16.txt
- http://curl.haxx.se/docs/adv_20051207.html
- http://docs.info.apple.com/article.html?artnum=307562
- http://lists.apple.com/archives/security-announce/2006/May/msg00003.html
- http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html
- http://qa.openoffice.org/issues/show_bug.cgi?id=59032
- http://secunia.com/advisories/17907
- http://secunia.com/advisories/17960
- http://secunia.com/advisories/17961
- http://secunia.com/advisories/17965
- http://secunia.com/advisories/17977
- http://secunia.com/advisories/18105
- http://secunia.com/advisories/18188
- http://secunia.com/advisories/18336
- http://secunia.com/advisories/19261
- http://secunia.com/advisories/19433
- http://secunia.com/advisories/19457
- http://secunia.com/advisories/20077
- http://www.debian.org/security/2005/dsa-919
- http://www.gentoo.org/security/en/glsa/glsa-200512-09.xml
- http://www.gentoo.org/security/en/glsa/glsa-200603-25.xml
- http://www.hardened-php.net/advisory_242005.109.html
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:224
- http://www.redhat.com/archives/fedora-announce-list/2005-December/msg00020.html
- http://www.redhat.com/support/errata/RHSA-2005-875.html
- http://www.securityfocus.com/archive/1/418849/100/0/threaded
- http://www.securityfocus.com/bid/15756
- http://www.securityfocus.com/bid/17951
- http://www.trustix.org/errata/2005/0072/
- http://www.us-cert.gov/cas/techalerts/TA06-132A.html
- http://www.vupen.com/english/advisories/2005/2791
- http://www.vupen.com/english/advisories/2006/0960
- http://www.vupen.com/english/advisories/2006/1779
- http://www.vupen.com/english/advisories/2008/0924/references
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10855
- https://usn.ubuntu.com/228-1/