Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication.

Updated curl packages are now available.

This update has been rated as having low security impact by the Red Hat Security Response Team.

cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity.

Multiple buffer overflow bugs were found in the way curl processes base64 encoded replies. If a victim can be tricked into visiting a URL with curl, a malicious web server could execute arbitrary code on a victim's machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0490 to this issue.

All users of curl are advised to upgrade to these updated packages, which contain backported fixes for these issues.

infamous41md discovered a buffer overflow in cURL's NT LAN Manager (NTLM) authentication handling. By sending a specially crafted long NTLM reply packet, a remote attacker could overflow the reply buffer.
This could lead to execution of arbitrary attacker specified code with the privileges of the application using the cURL library.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Two iDEFENSE Security Advisories reports :

An exploitable stack-based buffer overflow condition exists when using NT Lan Manager (NTLM) authentication. The problem specifically exists within Curl_input_ntlm() defined in lib/http_ntlm.c.

Successful exploitation allows remote attackers to execute arbitrary code under the privileges of the target user. Exploitation requires that an attacker either coerce or force a target to connect to a malicious server using NTLM authentication.

An exploitable stack-based buffer overflow condition exists when using Kerberos authentication. The problem specifically exists within the functions Curl_krb_kauth() and krb4_auth() defined in lib/krb4.c.

Successful exploitation allows remote attackers to execute arbitrary code under the privileges of the target user. Exploitation requires that an attacker either coerce or force a target to connect to a malicious server using Kerberos authentication.

The remote Redhat Enterprise Linux 4 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2005:340 advisory.

    cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and     Dict servers, using any of the supported protocols. cURL is designed     to work without user interaction or any kind of interactivity.

    Multiple buffer overflow bugs were found in the way curl processes base64     encoded replies. If a victim can be tricked into visiting a URL with curl,     a malicious web server could execute arbitrary code on a victim's machine.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has     assigned the name CAN-2005-0490 to this issue.

    All users of curl are advised to upgrade to these updated     packages, which contain backported fixes for these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-200503-20 (curl: NTLM response buffer overflow)

    curl fails to properly check boundaries when handling NTLM     authentication.
  Impact :

    With a malicious server an attacker could send a carefully crafted     NTLM response to a connecting client leading to the execution of     arbitrary code with the permissions of the user running curl.
  Workaround :

    Disable NTLM authentication by not using the --anyauth or --ntlm     options.

'infamous41md' discovered a buffer overflow vulnerability in libcurl's NTLM authorization base64 decoding. This could allow a remote attacker using a prepared remote server to execute arbitrary code as the user running curl.

The updated packages are patched to deal with these issues.

The remote host is missing the patch for the advisory SUSE-SA:2005:011 (curl).


infamous41md@hotpop.com reported a vulnerability in libcurl, the HTTP/FTP retrieval library. This library is used by lots of programs, including YaST2 and PHP4.

The NTLM authorization in curl had a buffer overflow in the base64 decoding which allows a remote attacker using a prepared remote server to execute code for the user using curl.

The Kerberos authorization has a similar bug, but is not compiled in on SUSE Linux.

This is tracked by the Mitre CVE ID CVE-2005-0490.

The remote host is using a version of curl (or libcurl) that is vulnerable to several remote buffer overflows. To exploit this vulnerability, an attacker would have to set up a rogue web server that would reply with a malicious NTLM or Kerberos authentication request.  Upon successful exploitation, the attacker would be able to execute arbitrary commands with the rights of the web server. 

ID	Name	Product	Family	Severity
78203	F5 Networks BIG-IP : cURL buffer overflow vulnerability (SOL4447)	Nessus	F5 Networks Local Security Checks	medium
21805	CentOS 3 / 4 : curl (CESA-2005:340)	Nessus	CentOS Local Security Checks	medium
20711	Ubuntu 4.10 : curl vulnerability (USN-86-1)	Nessus	Ubuntu Local Security Checks	medium
19038	FreeBSD : curl -- authentication buffer overflow vulnerability (96df5fd0-8900-11d9-aa18-0001020eed82)	Nessus	FreeBSD Local Security Checks	medium
17979	RHEL 4 : curl (RHSA-2005:340)	Nessus	Red Hat Local Security Checks	high
17345	GLSA-200503-20 : curl: NTLM response buffer overflow	Nessus	Gentoo Local Security Checks	medium
17277	Mandrake Linux Security Advisory : curl (MDKSA-2005:048)	Nessus	Mandriva Local Security Checks	medium
17238	SUSE-SA:2005:011: curl	Nessus	SuSE Local Security Checks	medium
2640	Curl < 7.13.1 NTLM Stack-based Buffer Overflow	Nessus Network Monitor	Web Clients	high
801387	Curl < 7.13.1 NTLM Stack-based Buffer Overflow	Log Correlation Engine	Web Clients	high

Detections

Analytics

CVE-2005-0490

high

Tenable Plugins

medium

medium

medium

medium

high

medium

medium

medium

high

high