Heap-based buffer overflow in the ne_rfc1036_parse date parsing function for the neon library (libneon) 0.24.5 and earlier, as used by cadaver before 0.22, allows remote WebDAV servers to execute arbitrary code on the client.

Stefan Esser reports :

A vulnerability within a libneon date parsing function could cause a heap overflow which could lead to remote code execution, depending on the application using libneon.

The vulnerability is in the function ne_rfc1036_parse, which is in turn used by the function ne_httpdate_parse. Applications using either of these neon functions may be vulnerable.

Stefan Esser discovered a problem in neon, an HTTP and WebDAV client library, which is also present in cadaver, a command-line client for WebDAV server. User input is copied into variables not large enough for all cases. This can lead to an overflow of a static heap variable.

Stefan Esser discovered a problem in neon, an HTTP and WebDAV client library. User input is copied into variables not large enough for all cases. This can lead to an overflow of a static heap variable.

The remote host is affected by the vulnerability described in GLSA-200405-15 (cadaver heap-based buffer overflow)

    Stefan Esser discovered a vulnerability in the code of the neon library     (see GLSA 200405-13). This library is also included in cadaver.
  Impact :

    When connected to a malicious WebDAV server, this vulnerability could allow     remote execution of arbitrary code with the rights of the user running     cadaver.
  Workaround :

    There is no known workaround at this time. All users are advised to upgrade     to the latest available version of cadaver.

The remote host is affected by the vulnerability described in GLSA-200405-13 (neon heap-based buffer overflow)

    Stefan Esser discovered a vulnerability in the code of the neon library :
    if a malicious date string is passed to the ne_rfc1036_parse() function, it     can trigger a string overflow into static heap variables.
  Impact :

    Depending on the application linked against libneon and when connected to a     malicious WebDAV server, this vulnerability could allow execution of     arbitrary code with the rights of the user running that application.
  Workaround :

    There is no known workaround at this time. All users are advised to upgrade     to the latest available version of neon.

The remote host is using software based on a vulnerable version of the Neon Library, an open-source HTTP and WebDAV client library. Depending of the application using the library, an attacker running a malicious WebDAV server may execute arbitrary code on the host or create a denial of service.

The remote host is using software based on a vulnerable version of the Neon Library, an open-source HTTP and WebDAV client library. An attacker running a malicious WebDAV server may execute arbitrary code on the host.

The OpenOffice.org office suite contains an internal libneon library which allows it to connect to WebDAV servers. This internal library is subject to the same vulnerabilities that were fixed in libneon recently. These updated packages contain fixes to libneon to correct the several format string vulnerabilities in it, as well as a heap-based buffer overflow vulnerability.

It was discovered that in portions of neon, sscanf() is used in an unsafe manner. This will result in an overflow of a static heap variable.

The updated packages provide a patched libneon to correct these problems.

Stefan Esser discovered a flaw in the neon library which allows a heap buffer overflow in a date parsing routine. An attacker could create a malicious WebDAV server in such a way as to allow arbitrary code execution on the client should a user connect to it using a neon-based application which uses the date parsing routines, such as cadaver.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0398 to this issue. This update includes packages with a patch for this issue.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An updated cadaver package is now available that fixes a vulnerability in neon which could be exploitable by a malicious DAV server.

cadaver is a command-line WebDAV client that uses inbuilt code from neon, an HTTP and WebDAV client library.

Stefan Esser discovered a flaw in the neon library which allows a heap buffer overflow in a date parsing routine. An attacker could create a malicious WebDAV server in such a way as to allow arbitrary code execution on the client should a user connect to it using cadaver. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0398 to this issue.

Users of cadaver are advised to upgrade to this updated package, which contains a patch correcting this issue.

This issue does not affect Red Hat Enterprise Linux 3.

ID	Name	Product	Family	Severity
38015	FreeBSD : neon date parsing vulnerability (8d075001-a9ce-11d8-9c6d-0020ed76ef5a)	Nessus	FreeBSD Local Security Checks	high
15344	Debian DSA-507-1 : cadaver - buffer overflow	Nessus	Debian Local Security Checks	high
15343	Debian DSA-506-1 : neon - buffer overflow	Nessus	Debian Local Security Checks	high
14501	GLSA-200405-15 : cadaver heap-based buffer overflow	Nessus	Gentoo Local Security Checks	high
14499	GLSA-200405-13 : neon heap-based buffer overflow	Nessus	Gentoo Local Security Checks	high
1780	Neon < 0.24.6 WebDAV Client Library ne_rfc1036_parse Function Heap Overflow	Nessus Network Monitor	Web Clients	high
1779	Neon < 0.24.5 WebDAV Client Library Format String Vulnerabilities (deprecated)	Nessus Network Monitor	Web Clients	high
14176	Mandrake Linux Security Advisory : OpenOffice.org (MDKSA-2004:078)	Nessus	Mandriva Local Security Checks	high
14148	Mandrake Linux Security Advisory : libneon (MDKSA-2004:049)	Nessus	Mandriva Local Security Checks	high
13705	Fedora Core 2 : neon-0.24.5-2.2 (2004-130)	Nessus	Fedora Local Security Checks	high
13704	Fedora Core 1 : neon-0.24.5-2.1 (2004-129)	Nessus	Fedora Local Security Checks	high
12496	RHEL 2.1 : cadaver (RHSA-2004:191)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2004-0398

critical

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high