Vulnerabilities > CVE-2012-0036 - SQL Injection vulnerability in Curl and Libcurl

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
curl
CWE-89
nessus
NVD
Published: 2012-04-13
Updated: 2018-01-10

Summary

curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.

Vulnerable Configurations

Part Description Count
Application
Curl
26

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
  • Object Relational Mapping Injection
    An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject his or her own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.
  • SQL Injection through SOAP Parameter Tampering
    An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.
  • Expanding Control over the Operating System from the Database
    An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.
  • SQL Injection
    This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. In order to successfully inject SQL and retrieve information from a database, an attacker:

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_7_4.NASL
    descriptionThe remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.4. The newer version contains numerous security-related fixes for the following components : - Login Window - Bluetooth - curl - HFS - Kernel - libarchive - libsecurity - libxml - LoginUIFramework - PHP - Quartz Composer - QuickTime - Ruby - Security Framework - Time Machine - X11 Note that this update addresses the recent FileVault password vulnerability, in which user passwords are stored in plaintext to a system-wide debug log if the legacy version of FileVault is used to encrypt user directories after a system upgrade to Lion. Since the patch only limits further exposure, though, we recommend that all users on the system change their passwords if user folders were encrypted using the legacy version of FileVault prior to and after an upgrade to OS X 10.7.
    last seen2020-06-01
    modified2020-06-02
    plugin id59066
    published2012-05-10
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59066
    titleMac OS X 10.7.x < 10.7.4 Multiple Vulnerabilities (BEAST)
    code
    #
# (C) Tenable Network Security, Inc.
#


if (!defined_func("bn_random")) exit(0);
if (NASL_LEVEL < 3000) exit(0);    # Avoid problems with large number of xrefs.


include("compat.inc");


if (description)
{
  script_id(59066);
  script_version("1.27");
  script_cvs_date("Date: 2018/07/16 12:48:31");

  script_cve_id(
    "CVE-2011-1004",
    "CVE-2011-1005",
    "CVE-2011-1777",
    "CVE-2011-1778",
    "CVE-2011-1944",
    "CVE-2011-2821",
    "CVE-2011-2834",
    "CVE-2011-2895",
    "CVE-2011-3212",
    "CVE-2011-3389",
    "CVE-2011-3919",
    "CVE-2011-4566",
    "CVE-2011-4815",
    "CVE-2011-4885",
    "CVE-2012-0036",
    "CVE-2012-0642",
    "CVE-2012-0649",
    "CVE-2012-0652",
    "CVE-2012-0654",
    "CVE-2012-0655",
    "CVE-2012-0656",
    "CVE-2012-0657",
    "CVE-2012-0658",
    "CVE-2012-0659",
    "CVE-2012-0660",
    "CVE-2012-0661",
    "CVE-2012-0662",
    "CVE-2012-0675",
    "CVE-2012-0830"
  );
  script_bugtraq_id(
    46458,
    46460,
    47737,
    48056,
    49124,
    49279,
    49658,
    49778,
    50907,
    51193,
    51198,
    51300,
    51665,
    51830,
    52364,
    53456,
    53457,
    53459,
    53462,
    53465,
    53466,
    53467,
    53468,
    53469,
    53470,
    53471,
    53473
  );
  script_xref(name:"TRA", value:"TRA-2012-02");
  script_xref(name:"CERT", value:"864643");
  script_xref(name:"ZDI", value:"ZDI-12-135");

  script_name(english:"Mac OS X 10.7.x < 10.7.4 Multiple Vulnerabilities (BEAST)");
  script_summary(english:"Check the version of Mac OS X.");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote host is missing a Mac OS X update that fixes several
security issues."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is running a version of Mac OS X 10.7.x that is prior
to 10.7.4. The newer version contains numerous security-related fixes
for the following components :

  - Login Window
  - Bluetooth
  - curl
  - HFS
  - Kernel
  - libarchive
  - libsecurity
  - libxml
  - LoginUIFramework
  - PHP
  - Quartz Composer
  - QuickTime
  - Ruby
  - Security Framework
  - Time Machine
  - X11

Note that this update addresses the recent FileVault password
vulnerability, in which user passwords are stored in plaintext to a
system-wide debug log if the legacy version of FileVault is used to
encrypt user directories after a system upgrade to Lion. Since the
patch only limits further exposure, though, we recommend that all
users on the system change their passwords if user folders were
encrypted using the legacy version of FileVault prior to and after an
upgrade to OS X 10.7."
  );
  script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2012-02");
  script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT5281");
  script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2012/May/msg00001.html");
  script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-12-135");
  script_set_attribute(attribute:"see_also", value:"http://seclists.org/fulldisclosure/2012/Aug/64");
  script_set_attribute(attribute:"see_also", value:"https://www.imperialviolet.org/2011/09/23/chromeandbeast.html");
  script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/~bodo/tls-cbc.txt");
  script_set_attribute(
    attribute:"solution", 
    value:"Upgrade to Mac OS X 10.7.4 or later."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/02/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/10");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_end_attributes();
 
  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");
 
  script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");

  exit(0);
}

os = get_kb_item("Host/MacOSX/Version");
if (!os)
{
  os = get_kb_item("Host/OS");
  if (isnull(os)) exit(0, "The 'Host/OS' KB item is missing.");
  if ("Mac OS X" >!< os) exit(0, "The host does not appear to be running Mac OS X.");

  c = get_kb_item("Host/OS/Confidence");
  if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence.");
}
if (!os) exit(0, "The host does not appear to be running Mac OS X.");


if (ereg(pattern:"Mac OS X 10\.7($|\.[0-3]([^0-9]|$))", string:os)) security_hole(0);
else exit(0, "The host is not affected as it is running "+os+".");
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_4_CURL-120124.NASL
    descriptionThe following vulnerabilities have been fixed in curl : - IMAP, POP3 and SMTP URL sanitization vulnerability (CVE-2012-0036) - disable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (CVE-2011-3389) - disable SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option for older openssl versions (CVE-2010-4180)
    last seen2020-06-05
    modified2014-06-13
    plugin id75806
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75806
    titleopenSUSE Security Update : curl (openSUSE-SU-2012:0229-1) (BEAST)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update curl-5702.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(75806);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2010-4180", "CVE-2011-3389", "CVE-2012-0036");

  script_name(english:"openSUSE Security Update : curl (openSUSE-SU-2012:0229-1) (BEAST)");
  script_summary(english:"Check for the curl-5702 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The following vulnerabilities have been fixed in curl :

  - IMAP, POP3 and SMTP URL sanitization vulnerability
    (CVE-2012-0036)

  - disable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
    (CVE-2011-3389)

  - disable SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option
    for older openssl versions (CVE-2010-4180)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=740452"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=742306"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.opensuse.org/opensuse-updates/2012-02/msg00032.html"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected curl packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:curl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:curl-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4-debuginfo-32bit");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.4");

  script_set_attribute(attribute:"patch_publication_date", value:"2012/01/24");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE11\.4)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.4", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE11.4", reference:"curl-7.21.2-10.11.1") ) flag++;
if ( rpm_check(release:"SUSE11.4", reference:"curl-debuginfo-7.21.2-10.11.1") ) flag++;
if ( rpm_check(release:"SUSE11.4", reference:"libcurl-devel-7.21.2-10.11.1") ) flag++;
if ( rpm_check(release:"SUSE11.4", reference:"libcurl4-7.21.2-10.11.1") ) flag++;
if ( rpm_check(release:"SUSE11.4", reference:"libcurl4-debuginfo-7.21.2-10.11.1") ) flag++;
if ( rpm_check(release:"SUSE11.4", cpu:"x86_64", reference:"libcurl4-32bit-7.21.2-10.11.1") ) flag++;
if ( rpm_check(release:"SUSE11.4", cpu:"x86_64", reference:"libcurl4-debuginfo-32bit-7.21.2-10.11.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl / libcurl-devel / libcurl4 / libcurl4-32bit / curl-debuginfo / etc");
}
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1346-1.NASL
    descriptionDan Fandrich discovered that curl incorrectly handled URLs containing embedded or percent-encoded control characters. If a user or automated system were tricked into processing a specially crafted URL, arbitrary data could be injected. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id57689
    published2012-01-25
    reporterUbuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57689
    titleUbuntu 10.10 / 11.04 / 11.10 : curl vulnerability (USN-1346-1)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-1346-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(57689);
  script_version("1.9");
  script_cvs_date("Date: 2019/09/19 12:54:27");

  script_cve_id("CVE-2012-0036");
  script_xref(name:"USN", value:"1346-1");

  script_name(english:"Ubuntu 10.10 / 11.04 / 11.10 : curl vulnerability (USN-1346-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Dan Fandrich discovered that curl incorrectly handled URLs containing
embedded or percent-encoded control characters. If a user or automated
system were tricked into processing a specially crafted URL, arbitrary
data could be injected.

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/1346-1/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Update the affected libcurl3, libcurl3-gnutls and / or libcurl3-nss
packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl3-gnutls");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcurl3-nss");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.10");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/04/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/01/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/25");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(10\.10|11\.04|11\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 10.10 / 11.04 / 11.10", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

flag = 0;

if (ubuntu_check(osver:"10.10", pkgname:"libcurl3", pkgver:"7.21.0-1ubuntu1.3")) flag++;
if (ubuntu_check(osver:"10.10", pkgname:"libcurl3-gnutls", pkgver:"7.21.0-1ubuntu1.3")) flag++;
if (ubuntu_check(osver:"11.04", pkgname:"libcurl3", pkgver:"7.21.3-1ubuntu1.5")) flag++;
if (ubuntu_check(osver:"11.04", pkgname:"libcurl3-gnutls", pkgver:"7.21.3-1ubuntu1.5")) flag++;
if (ubuntu_check(osver:"11.04", pkgname:"libcurl3-nss", pkgver:"7.21.3-1ubuntu1.5")) flag++;
if (ubuntu_check(osver:"11.10", pkgname:"libcurl3", pkgver:"7.21.6-3ubuntu3.2")) flag++;
if (ubuntu_check(osver:"11.10", pkgname:"libcurl3-gnutls", pkgver:"7.21.6-3ubuntu3.2")) flag++;
if (ubuntu_check(osver:"11.10", pkgname:"libcurl3-nss", pkgver:"7.21.6-3ubuntu3.2")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libcurl3 / libcurl3-gnutls / libcurl3-nss");
}
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2012-0888.NASL
    descriptionreject URLs containing bad data (CVE-2012-0036) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2012-02-13
    plugin id57897
    published2012-02-13
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57897
    titleFedora 15 : curl-7.21.3-13.fc15 (2012-0888)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2012-0888.
#

include("compat.inc");

if (description)
{
  script_id(57897);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2012-0036");
  script_bugtraq_id(51665);
  script_xref(name:"FEDORA", value:"2012-0888");

  script_name(english:"Fedora 15 : curl-7.21.3-13.fc15 (2012-0888)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"reject URLs containing bad data (CVE-2012-0036)

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=773457"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2012-February/073162.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?c0fc804d"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected curl package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:curl");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:15");

  script_set_attribute(attribute:"patch_publication_date", value:"2012/01/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/02/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^15([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 15.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC15", reference:"curl-7.21.3-13.fc15")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl");
}
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2012-0894.NASL
    descriptionreject URLs containing bad data (CVE-2012-0036) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2012-01-30
    plugin id57719
    published2012-01-30
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57719
    titleFedora 16 : curl-7.21.7-6.fc16 (2012-0894)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2012-0894.
#

include("compat.inc");

if (description)
{
  script_id(57719);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2012-0036");
  script_bugtraq_id(51665);
  script_xref(name:"FEDORA", value:"2012-0894");

  script_name(english:"Fedora 16 : curl-7.21.7-6.fc16 (2012-0894)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"reject URLs containing bad data (CVE-2012-0036)

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=773457"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2012-January/072531.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?1f90ccf0"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected curl package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:curl");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:16");

  script_set_attribute(attribute:"patch_publication_date", value:"2012/01/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/30");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^16([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 16.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC16", reference:"curl-7.21.7-6.fc16")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl");
}
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2012-76.NASL
    description - Fix IMAP, POP3 and SMTP URL sanitization (bnc#740452, CVE-2012-0036) - Disable SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option when built against an older OpenSSL version (CVE-2010-4180). - Don
    last seen2020-06-05
    modified2014-06-13
    plugin id74807
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/74807
    titleopenSUSE Security Update : curl (openSUSE-2012-76) (BEAST)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2012-76.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(74807);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2010-4180", "CVE-2011-3389", "CVE-2012-0036");

  script_name(english:"openSUSE Security Update : curl (openSUSE-2012-76) (BEAST)");
  script_summary(english:"Check for the openSUSE-2012-76 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"  - Fix IMAP, POP3 and SMTP URL sanitization (bnc#740452,
    CVE-2012-0036)

  - Disable SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option
    when built against an older OpenSSL version
    (CVE-2010-4180).

  - Don't enable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
    (bnc#742306, CVE-2011-3389)."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=740452"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=742306"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected curl packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:curl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:curl-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libcurl4-debuginfo-32bit");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2012/01/30");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE12\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE12.1", reference:"curl-7.22.0-2.3.1") ) flag++;
if ( rpm_check(release:"SUSE12.1", reference:"curl-debuginfo-7.22.0-2.3.1") ) flag++;
if ( rpm_check(release:"SUSE12.1", reference:"libcurl-devel-7.22.0-2.3.1") ) flag++;
if ( rpm_check(release:"SUSE12.1", reference:"libcurl4-7.22.0-2.3.1") ) flag++;
if ( rpm_check(release:"SUSE12.1", reference:"libcurl4-debuginfo-7.22.0-2.3.1") ) flag++;
if ( rpm_check(release:"SUSE12.1", cpu:"x86_64", reference:"libcurl4-32bit-7.22.0-2.3.1") ) flag++;
if ( rpm_check(release:"SUSE12.1", cpu:"x86_64", reference:"libcurl4-debuginfo-32bit-7.22.0-2.3.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "curl / curl-debuginfo / libcurl-devel / libcurl4-32bit / libcurl4 / etc");
}
  • NASL familyWeb Servers
    NASL idHPSMH_7_1_1_1.NASL
    descriptionAccording to the web server
    last seen2020-06-01
    modified2020-06-02
    plugin id59851
    published2012-07-05
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59851
    titleHP System Management Homepage < 7.1.1 Multiple Vulnerabilities
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2012-058.NASL
    descriptionMultiple vulnerabilities has been found and corrected in curl : curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL for the SSL/TLS layer. A work-around has been added to mitigate the problem (CVE-2011-3389). curl is vulnerable to a data injection attack for certain protocols through control characters embedded or percent-encoded in URLs (CVE-2012-0036). The updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id58759
    published2012-04-16
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/58759
    titleMandriva Linux Security Advisory : curl (MDVSA-2012:058)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_CURL-7937.NASL
    descriptionThis update to curl fixes the following security issue : - Don
    last seen2020-06-05
    modified2012-02-06
    plugin id57842
    published2012-02-06
    reporterThis script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/57842
    titleSuSE 10 Security Update : curl (ZYPP Patch Number 7937)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201203-02.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201203-02 (cURL: Multiple vulnerabilities) Multiple vulnerabilities have been found in cURL: When zlib is enabled, the amount of data sent to an application for automatic decompression is not restricted (CVE-2010-0734). When performing GSSAPI authentication, credential delegation is always used (CVE-2011-2192). When SSL is enabled, cURL improperly disables the OpenSSL workaround to mitigate an information disclosure vulnerability in the SSL and TLS protocols (CVE-2011-3389). libcurl does not properly verify file paths for escape control characters in IMAP, POP3 or SMTP URLs (CVE-2012-0036). Impact : A remote attacker could entice a user or automated process to open a specially crafted file or URL using cURL, possibly resulting in the remote execution of arbitrary code, a Denial of Service condition, disclosure of sensitive information, or unwanted actions performed via the IMAP, POP3 or SMTP protocols. Furthermore, remote servers may be able to impersonate clients via GSSAPI requests. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id58212
    published2012-03-06
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/58212
    titleGLSA-201203-02 : cURL: Multiple vulnerabilities (BEAST)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2398.NASL
    descriptionSeveral vulnerabilities have been discovered in cURL, an URL transfer library. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2011-3389 This update enables OpenSSL workarounds against the
    last seen2020-03-17
    modified2012-01-31
    plugin id57738
    published2012-01-31
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57738
    titleDebian DSA-2398-2 : curl - several vulnerabilities (BEAST)

References