Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows remote attackers to execute arbitrary commands via a TFTP URL (tftp://) with a valid hostname and a long path.

A Project cURL Security Advisory reports :

libcurl uses the given file part of a TFTP URL in a manner that allows a malicious user to overflow a heap-based memory buffer due to the lack of boundary check.

This overflow happens if you pass in a URL with a TFTP protocol prefix ('tftp://'), using a valid host and a path part that is longer than 512 bytes.

The affected flaw can be triggered by a redirect, if curl/libcurl is told to follow redirects and an HTTP server points the client to a tftp URL with the characteristics described above.

The remote host is affected by the vulnerability described in GLSA-200603-19 (cURL/libcurl: Buffer overflow in the handling of TFTP URLs)

    Ulf Harnhammar reported a possible buffer overflow in the handling     of TFTP URLs in libcurl due to the lack of boundary checks.
  Impact :

    An attacker could exploit this vulnerability to compromise a     user's system by enticing the user to request a malicious URL with     cURL/libcurl or to use a HTTP server redirecting to a malicious TFTP     URL.
  Workaround :

    There is no known workaround at this time.

This curl update fixes security vulnerability CVE-2006-1061 - curl can overflow a heap-based memory buffer if very long TFTP URL with valid host name is passed to curl. This update fixes installation problems on multilib architectures, too.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is using a version of curl (or libcurl) that is vulnerable to a remote buffer overflows. An attacker would have to set up a rogue web server and entice a curl user to browse to the malicious server to exploit this vulnerability.  Upon successful exploitation, the attacker would be able to execute arbitrary commands with the rights of the web server.  The specific flaw occurs when processing long 'tftp://' URIs.  E.g., tftp://www.somesite.com/[512 bytes]

ID	Name	Product	Family	Severity
21501	FreeBSD : curl -- TFTP packet buffer overflow vulnerability (b8e361b8-b7ff-11da-8414-0013d4a4a40e)	Nessus	FreeBSD Local Security Checks	high
21126	GLSA-200603-19 : cURL/libcurl: Buffer overflow in the handling of TFTP URLs	Nessus	Gentoo Local Security Checks	high
21123	Fedora Core 5 : curl-7.15.1-3 (2006-189)	Nessus	Fedora Local Security Checks	high
3481	Curl < 7.15.3 TFTP URL Parsing Overflow	Nessus Network Monitor	Web Clients	high
801384	Curl < 7.15.3 TFTP URL Parsing Overflow	Log Correlation Engine	Web Clients	high

Detections

Analytics

CVE-2006-1061

critical

Tenable Plugins

high

high

high

high

high