author | Rich Burridge <rich.burridge@oracle.com> |
Wed, 06 Feb 2013 07:41:13 -0800 | |
changeset 1145 | ebafad4abba7 |
permissions | -rw-r--r-- |
1145
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
1 |
From ee45a34907ffeb5fd95b0513040d8491d565b663 Mon Sep 17 00:00:00 2001 |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
2 |
From: Eldar Zaitov <[email protected]> |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
3 |
Date: Wed, 30 Jan 2013 23:22:27 +0100 |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
4 |
Subject: [PATCH] Curl_sasl_create_digest_md5_message: fix buffer overflow |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
5 |
|
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
6 |
When negotiating SASL DIGEST-MD5 authentication, the function |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
7 |
Curl_sasl_create_digest_md5_message() uses the data provided from the |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
8 |
server without doing the proper length checks and that data is then |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
9 |
appended to a local fixed-size buffer on the stack. |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
10 |
|
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
11 |
This vulnerability can be exploited by someone who is in control of a |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
12 |
server that a libcurl based program is accessing with POP3, SMTP or |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
13 |
IMAP. For applications that accept user provided URLs, it is also |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
14 |
thinkable that a malicious user would feed an application with a URL to |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
15 |
a server hosting code targetting this flaw. |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
16 |
|
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
17 |
Bug: http://curl.haxx.se/docs/adv_20130206.html |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
18 |
|
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
19 |
(Note that these changes need to be applied to similar code in |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
20 |
.../lib/smtp.c for curl version 7.26.0) |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
21 |
|
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
22 |
--- lib/smtp.c.orig 2013-02-05 08:06:03.823585006 -0800 |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
23 |
+++ lib/smtp.c 2013-02-05 08:12:38.007595100 -0800 |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
24 |
@@ -879,7 +879,7 @@ |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
25 |
char cnonce[] = "12345678"; /* will be changed */ |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
26 |
char method[] = "AUTHENTICATE"; |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
27 |
char qop[] = "auth"; |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
28 |
- char uri[128] = "smtp/"; |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
29 |
+ char uri[128]; |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
30 |
char response[512]; |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
31 |
|
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
32 |
(void)instate; /* no use for this yet */ |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
33 |
@@ -963,8 +963,8 @@ |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
34 |
for(i = 0; i < MD5_DIGEST_LEN; i++) |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
35 |
snprintf(&HA1_hex[2 * i], 3, "%02x", digest[i]); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
36 |
|
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
37 |
- /* Orepare URL string, append realm to the protocol */ |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
38 |
- strcat(uri, realm); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
39 |
+ /* Prepare URL string, append realm to the protocol */ |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
40 |
+ snprintf(uri, sizeof(uri), "smtp/%s", realm); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
41 |
|
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
42 |
/* Calculate H(A2) */ |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
43 |
ctxt = Curl_MD5_init(Curl_DIGEST_MD5); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
44 |
@@ -1008,20 +1008,11 @@ |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
45 |
for(i = 0; i < MD5_DIGEST_LEN; i++) |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
46 |
snprintf(&resp_hash_hex[2 * i], 3, "%02x", digest[i]); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
47 |
|
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
48 |
- strcpy(response, "username=\""); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
49 |
- strcat(response, conn->user); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
50 |
- strcat(response, "\",realm=\""); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
51 |
- strcat(response, realm); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
52 |
- strcat(response, "\",nonce=\""); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
53 |
- strcat(response, nonce); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
54 |
- strcat(response, "\",cnonce=\""); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
55 |
- strcat(response, cnonce); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
56 |
- strcat(response, "\",nc="); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
57 |
- strcat(response, nonceCount); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
58 |
- strcat(response, ",digest-uri=\""); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
59 |
- strcat(response, uri); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
60 |
- strcat(response, "\",response="); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
61 |
- strcat(response, resp_hash_hex); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
62 |
+ snprintf(response, sizeof(response), |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
63 |
+ "username=\"%s\",realm=\"%s\",nonce=\"%s\"," |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
64 |
+ "cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\",response=%s", |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
65 |
+ conn->user, realm, nonce, |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
66 |
+ cnonce, nonceCount, uri, resp_hash_hex); |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
67 |
|
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
68 |
/* Encode it to base64 and send it */ |
ebafad4abba7
16263409 CVE-2013-0249 libcurl SASL buffer overflow
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
69 |
result = Curl_base64_encode(data, response, 0, &rplyb64, &len); |