CVE-2005-4077
CVSS4.6
发布时间 :2005-12-07 20:03:00
修订时间 :2011-09-08 00:00:00
NMCOPS    

[原文]Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a "?" separator in the hostname portion, which causes a "/" to be prepended to the resulting string.


[CNNVD]cURL/libcURL URL解析器缓冲区溢出漏洞(CNNVD-200512-121)

        cURL是命令行传输文件工具,支持FTP、FTPS、HTTP、HTTPS、GOPHER、TELNET、DICT、FILE和LDAP。
        libcurl在解析URL时存在溢出漏洞,攻击者可以利用这个漏洞绕过PHP的safe_mode/open_basedir限制,或从apache内存窃取本地SSL证书。libcurl在解析URL时首先会为主机名和路径部分分配特定的缓冲区。如果URL较短的话,会为每个缓冲区至少分配256个字节;如果输入URL超过了256字节限制的话,libcurl就会分配2个缓冲区,大小为输入URL的长度。然后一些sscanf调用会解析URL。畸形的URL会导致sscanf将完整的输入URL拷贝到主机或路径缓冲区。由于最初的分配没有为0字节分配额外的空间,这可能导致大小差一(off-by-one)的情况。尽管这种溢出已经可以控制某些malloc()/free()的实现,攻击者还可以通过有"?"的主机名导致两个字节的溢出。如果libcurl发现主机名中存在"?"的话,就会认定为畸形URL,并未经任何大小检查便在其前面添加路径分隔符"/"。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-189 [数值错误]

- CPE (受影响的平台与产品)

cpe:/a:daniel_stenberg:curl:7.15
cpe:/a:daniel_stenberg:curl:7.13.1
cpe:/a:daniel_stenberg:curl:7.12.3
cpe:/a:daniel_stenberg:curl:7.13.2
cpe:/a:daniel_stenberg:curl:7.12.1
cpe:/a:daniel_stenberg:curl:7.13
cpe:/a:daniel_stenberg:curl:7.12
cpe:/a:daniel_stenberg:curl:7.12.2
cpe:/a:daniel_stenberg:curl:7.14
cpe:/a:daniel_stenberg:curl:7.11.2
cpe:/a:daniel_stenberg:curl:7.14.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10855Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a de...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4077
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4077
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-121
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA06-132A.html
(UNKNOWN)  CERT  TA06-132A
http://www.securityfocus.com/bid/15756
(PATCH)  BID  15756
http://www.securityfocus.com/archive/1/archive/1/418849/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20051207 Advisory 24/2005: libcurl URL parsing vulnerability
http://www.hardened-php.net/advisory_242005.109.html
(VENDOR_ADVISORY)  MISC  http://www.hardened-php.net/advisory_242005.109.html
http://secunia.com/advisories/17907
(VENDOR_ADVISORY)  SECUNIA  17907
http://curl.haxx.se/docs/adv_20051207.html
(VENDOR_ADVISORY)  CONFIRM  http://curl.haxx.se/docs/adv_20051207.html
http://www.vupen.com/english/advisories/2008/0924/references
(VENDOR_ADVISORY)  VUPEN  ADV-2008-0924
http://www.vupen.com/english/advisories/2006/1779
(VENDOR_ADVISORY)  VUPEN  ADV-2006-1779
http://www.vupen.com/english/advisories/2006/0960
(VENDOR_ADVISORY)  VUPEN  ADV-2006-0960
http://www.vupen.com/english/advisories/2005/2791
(VENDOR_ADVISORY)  VUPEN  ADV-2005-2791
http://www.ubuntulinux.org/support/documentation/usn/usn-228-1
(UNKNOWN)  UBUNTU  USN-228-1
http://www.trustix.org/errata/2005/0072/
(UNKNOWN)  TRUSTIX  TSLSA-2005-0072
http://www.securityfocus.com/bid/17951
(UNKNOWN)  BID  17951
http://www.redhat.com/support/errata/RHSA-2005-875.html
(UNKNOWN)  REDHAT  RHSA-2005:875
http://www.redhat.com/archives/fedora-announce-list/2005-December/msg00020.html
(UNKNOWN)  FEDORA  FEDORA-2005-1129
http://www.mandriva.com/security/advisories?name=MDKSA-2005:224
(UNKNOWN)  MANDRIVA  MDKSA-2005:224
http://www.gentoo.org/security/en/glsa/glsa-200603-25.xml
(UNKNOWN)  GENTOO  GLSA-200603-25
http://www.gentoo.org/security/en/glsa/glsa-200512-09.xml
(UNKNOWN)  GENTOO  GLSA-200512-09
http://www.debian.org/security/2005/dsa-919
(UNKNOWN)  DEBIAN  DSA-919
http://secunia.com/advisories/20077
(VENDOR_ADVISORY)  SECUNIA  20077
http://secunia.com/advisories/19457
(VENDOR_ADVISORY)  SECUNIA  19457
http://secunia.com/advisories/19433
(VENDOR_ADVISORY)  SECUNIA  19433
http://secunia.com/advisories/19261
(VENDOR_ADVISORY)  SECUNIA  19261
http://secunia.com/advisories/18336
(VENDOR_ADVISORY)  SECUNIA  18336
http://secunia.com/advisories/18188
(VENDOR_ADVISORY)  SECUNIA  18188
http://secunia.com/advisories/18105
(VENDOR_ADVISORY)  SECUNIA  18105
http://secunia.com/advisories/17977
(VENDOR_ADVISORY)  SECUNIA  17977
http://secunia.com/advisories/17965
(VENDOR_ADVISORY)  SECUNIA  17965
http://secunia.com/advisories/17961
(VENDOR_ADVISORY)  SECUNIA  17961
http://secunia.com/advisories/17960
(VENDOR_ADVISORY)  SECUNIA  17960
http://qa.openoffice.org/issues/show_bug.cgi?id=59032
(UNKNOWN)  MISC  http://qa.openoffice.org/issues/show_bug.cgi?id=59032
http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html
(UNKNOWN)  APPLE  APPLE-SA-2008-03-18
http://lists.apple.com/archives/security-announce/2006/May/msg00003.html
(UNKNOWN)  APPLE  APPLE-SA-2006-05-11
http://docs.info.apple.com/article.html?artnum=307562
(UNKNOWN)  CONFIRM  http://docs.info.apple.com/article.html?artnum=307562
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.16/SCOSA-2006.16.txt
(UNKNOWN)  SCO  SCOSA-2006.16

- 漏洞信息

cURL/libcURL URL解析器缓冲区溢出漏洞
中危 缓冲区溢出
2005-12-07 00:00:00 2006-01-05 00:00:00
远程※本地  
        cURL是命令行传输文件工具,支持FTP、FTPS、HTTP、HTTPS、GOPHER、TELNET、DICT、FILE和LDAP。
        libcurl在解析URL时存在溢出漏洞,攻击者可以利用这个漏洞绕过PHP的safe_mode/open_basedir限制,或从apache内存窃取本地SSL证书。libcurl在解析URL时首先会为主机名和路径部分分配特定的缓冲区。如果URL较短的话,会为每个缓冲区至少分配256个字节;如果输入URL超过了256字节限制的话,libcurl就会分配2个缓冲区,大小为输入URL的长度。然后一些sscanf调用会解析URL。畸形的URL会导致sscanf将完整的输入URL拷贝到主机或路径缓冲区。由于最初的分配没有为0字节分配额外的空间,这可能导致大小差一(off-by-one)的情况。尽管这种溢出已经可以控制某些malloc()/free()的实现,攻击者还可以通过有"?"的主机名导致两个字节的溢出。如果libcurl发现主机名中存在"?"的话,就会认定为畸形URL,并未经任何大小检查便在其前面添加路径分隔符"/"。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://curl.haxx.se/download/curl-7.15.1.tar.gz
        http://www.debian.org/security/2005/dsa-919
        http://security.debian.org/pool/updates/main/c/curl/
        

- 漏洞信息 (F44562)

Debian Linux Security Advisory 919-2 (PacketStormID:F44562)
2006-03-11 00:00:00
Debian  debian.org
advisory,protocol
linux,debian
CVE-2005-4077
[点击下载]

Debian Security Advisory DSA 919-2 - The upstream developer of curl, a multi-protocol file transfer library, informed us that the former correction to several off-by-one errors are not sufficient.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 919-2                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
Marth 10th, 2006                        http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : curl
Vulnerability  : buffer overflow
Problem type   : local (remote)
Debian-specific: no
CVE ID         : CVE-2005-4077
BugTraq ID     : 15756
Debian Bugs    : 342339 342696

The upstream developer of curl, a multi-protocol file transfer
library, informed us that the former correction to several off-by-one
errors are not sufficient.  For completeness please find the original
bug description below:

    Stefan Esser discovered several off-by-one errors that allows
    local users to trigger a buffer overflow and cause a denial of
    service or bypass PHP security restrictions via certain URLs.

For the old stable distribution (woody) these problems have been fixed in
version 7.9.5-1woody2.

For the stable distribution (sarge) these problems have been fixed in
version 7.13.2-2sarge5.

For the unstable distribution (sid) these problems have been fixed in
version 7.15.1-1.

We recommend that you upgrade your libcurl packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2.dsc
      Size/MD5 checksum:      603 62a08f0dff0d09e2cfb773c04ec9cb39
    http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2.diff.gz
      Size/MD5 checksum:    16679 4f4699069b8b03a75561c00ae346266c
    http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5.orig.tar.gz
      Size/MD5 checksum:   682397 a4df6bb5aa8962c204e73c8f98077928

  Alpha architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_alpha.deb
      Size/MD5 checksum:   118546 80578b5149b1f85908250d189ffe4fc1
    http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_alpha.deb
      Size/MD5 checksum:   195952 762e8471239a92b0c45b44e0379877f4
    http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_alpha.deb
      Size/MD5 checksum:   116624 fe65a65b7ec0529ee5778f703f45de3d

  ARM architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_arm.deb
      Size/MD5 checksum:   114494 568f2949df218f0bdc77315eca6bcdc9
    http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_arm.deb
      Size/MD5 checksum:   172996 7d0e29244038b8587dc4f393b800a19e
    http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_arm.deb
      Size/MD5 checksum:   101892 36ded7c5e5844d79bb53b64b0a1e70c6

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_i386.deb
      Size/MD5 checksum:   113024 0a4bea4409c4b15554af6d063deff9e6
    http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_i386.deb
      Size/MD5 checksum:   163738 c91953e3083d813d51bc7d28c21cbb26
    http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_i386.deb
      Size/MD5 checksum:   100544 860e88b6f23f13beb96d1adb7e23ccc3

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_ia64.deb
      Size/MD5 checksum:   122108 feb536a863d0d317a7fa2ddd05c91ccd
    http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_ia64.deb
      Size/MD5 checksum:   210346 d371446a9efe8b55b22a891599ca0e34
    http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_ia64.deb
      Size/MD5 checksum:   139470 6b282c866dc3d439b54565a85672f73e

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_hppa.deb
      Size/MD5 checksum:   116474 6def03bfd72095d967e130947160e149
    http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_hppa.deb
      Size/MD5 checksum:   186410 8a92f7a10893e0e870c3de0008fdb7fb
    http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_hppa.deb
      Size/MD5 checksum:   113016 a1c4e05ee3a19ceb7c501e7a15c79472

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_m68k.deb
      Size/MD5 checksum:   112814 fe14e982348adcd471dac277c64318d7
    http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_m68k.deb
      Size/MD5 checksum:   159174 101573ffa60ada3919244812c3e549a4
    http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_m68k.deb
      Size/MD5 checksum:    97210 a679640f9f2a15ebc4cf7ecaab294b17

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_mips.deb
      Size/MD5 checksum:   115508 e64d4b2a5f2ca190b5c6d2c35c612875
    http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_mips.deb
      Size/MD5 checksum:   183998 fe09a440ee83320deb8c87e145d5dd1c
    http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_mips.deb
      Size/MD5 checksum:   105278 0a986bde9d964600488d46f86cc13796

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_mipsel.deb
      Size/MD5 checksum:   115536 0a953c3fb64b1c2a717bbbedc4590930
    http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_mipsel.deb
      Size/MD5 checksum:   183894 28c9494b916c4f5930fb36a24a9cb15d
    http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_mipsel.deb
      Size/MD5 checksum:   105362 fa9855c9c542dfe80279debbd5c8fe58

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_powerpc.deb
      Size/MD5 checksum:   115104 fdd19cc3dc041b832f1400b3095e3272
    http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_powerpc.deb
      Size/MD5 checksum:   181524 ec2f58f83023187dacb2dc28732db05f
    http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_powerpc.deb
      Size/MD5 checksum:   106436 b64010ddab81b1658992b226a644b7b8

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_s390.deb
      Size/MD5 checksum:   114424 a5651846cf7bbda1fe3bc7a7da2283e2
    http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_s390.deb
      Size/MD5 checksum:   167550 dabb8ea718530f9dbdd8858619c53157
    http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_s390.deb
      Size/MD5 checksum:   104400 81aa237a8b00e4e418d5a0a85d35e32b

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody2_sparc.deb
      Size/MD5 checksum:   114254 9df1a25a6dccea83b7a6cc7868c37247
    http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody2_sparc.deb
      Size/MD5 checksum:   173320 948d75e0202f6fda494d6fae9d122940
    http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody2_sparc.deb
      Size/MD5 checksum:   107996 2d5dade7d687ac5391bdca26016dd28e


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5.dsc
      Size/MD5 checksum:      810 5189493504485c0048f38809d1f71eb2
    http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5.diff.gz
      Size/MD5 checksum:   172234 344704b789a63e17795dd47475af6519
    http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2.orig.tar.gz
      Size/MD5 checksum:  2201086 b3bd4a303f35f9a2a3ed3671cedf8329

  Alpha architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_alpha.deb
      Size/MD5 checksum:   150912 bb6f21223e11353d7d1b373e3d832395
    http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_alpha.deb
      Size/MD5 checksum:   251302 5a594c2e2b9e0e5697ae933cc9710ff2
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_alpha.deb
      Size/MD5 checksum:  1010904 9c1ae1862d7dbf45310c42ad1fb7bf29
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_alpha.deb
      Size/MD5 checksum:  1279442 0effd00cd0ec6d923e9694ceb7b8347b
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_alpha.deb
      Size/MD5 checksum:   132196 e09c305798f2ef2d5232fefc1138743b

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_amd64.deb
      Size/MD5 checksum:   148046 72b46b62bb3f3d461b4d6a5734098b9b
    http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_amd64.deb
      Size/MD5 checksum:   239294 121956fb9aae3348fa9a493cdea79740
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_amd64.deb
      Size/MD5 checksum:  1004132 0f8d808b09bd0ab935beb218a7e53630
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_amd64.deb
      Size/MD5 checksum:  1238024 a447b1dd774b1f4e07b4fc5fefccef5d
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_amd64.deb
      Size/MD5 checksum:   119350 fa2554b51b070c1d6fd2d3f76f5038d5

  ARM architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_arm.deb
      Size/MD5 checksum:   147080 7b4cfc50771d62e0a76ccb6209fe449a
    http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_arm.deb
      Size/MD5 checksum:   232270 e81f1ce1b439ce7778abdf60248f9a21
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_arm.deb
      Size/MD5 checksum:  1006548 eb5d3cd6e480e053c835bc4a0e94e45c
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_arm.deb
      Size/MD5 checksum:  1236336 9552fc31cae7b84855459502c0f9185f
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_arm.deb
      Size/MD5 checksum:   112884 9c790872f1108c9de8ad03581515cd3b

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_i386.deb
      Size/MD5 checksum:   147610 950f7978ba6ee3b60416e9056438c6e0
    http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_i386.deb
      Size/MD5 checksum:   237898 46d8c98384d1d545d3e4d58d26d0a94b
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_i386.deb
      Size/MD5 checksum:  1003424 fe85527c93e5859685e72cd28ecaa15f
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_i386.deb
      Size/MD5 checksum:  1232116 2756464635b53395cbfda1ead83bfb62
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_i386.deb
      Size/MD5 checksum:   118554 a977c4931ccbd0d7ab855d4463edabbc

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_ia64.deb
      Size/MD5 checksum:   156722 f430eba0b5554535b21fa840baa0953b
    http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_ia64.deb
      Size/MD5 checksum:   279222 57772e931a766e8611b41de5dd82fc44
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_ia64.deb
      Size/MD5 checksum:  1014718 69aebd71a0c09184ee5745d38fbe5e57
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_ia64.deb
      Size/MD5 checksum:  1293798 072ac6f1e0b505991ded4340e71f3d2d
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_ia64.deb
      Size/MD5 checksum:   160790 df3faf481671c5efb79bb4e43df0cd0f

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_hppa.deb
      Size/MD5 checksum:   150554 dcf951b1cdc8a8b2808b4ef5a6ed7a06
    http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_hppa.deb
      Size/MD5 checksum:   251200 409ac37bb0adc4a4bd0542c1ac661ad3
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_hppa.deb
      Size/MD5 checksum:  1002064 903885cbc63e47e1cca7cafe64d9061d
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_hppa.deb
      Size/MD5 checksum:  1253626 b09cfaed0c17cd06e69586d54d426256
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_hppa.deb
      Size/MD5 checksum:   132284 33802a367e971182dfaac46ab2f2b3a0

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_m68k.deb
      Size/MD5 checksum:   144652 11be6a48cdb019c42852c2a29523c972
    http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_m68k.deb
      Size/MD5 checksum:   227858 b58a8fa28732754776e30b478649262e
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_m68k.deb
      Size/MD5 checksum:   998546 3392e518130e36eba7a9598f6308e8f9
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_m68k.deb
      Size/MD5 checksum:  1212010 5e901a9ab9336d22ce5bffec68ed3020
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_m68k.deb
      Size/MD5 checksum:   108694 4f50040ed1dcb4a129b6cf5ef70196e2

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_mips.deb
      Size/MD5 checksum:   149942 9c11cfcc6886af0114f97b2eddb428a7
    http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_mips.deb
      Size/MD5 checksum:   237440 254e37aa6c1fcb96f53b3b38fb599142
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_mips.deb
      Size/MD5 checksum:  1007564 fc4147e821a5908cd6b2a67f77fa55f4
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_mips.deb
      Size/MD5 checksum:  1246980 5e542160496f4cbe3475ad7f4c085f7e
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_mips.deb
      Size/MD5 checksum:   118470 41ca8bc0fb17a1922ab864790a0b583e

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_mipsel.deb
      Size/MD5 checksum:   150046 51a993203eefc459a63658dc80ff0fcc
    http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_mipsel.deb
      Size/MD5 checksum:   238022 d52743d13cd115b6a893989af7aef032
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_mipsel.deb
      Size/MD5 checksum:  1010958 d3158f45cf6e904681e90608fce6673c
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_mipsel.deb
      Size/MD5 checksum:  1247246 5569e170ef9bda1d904b5e7e2b979ef4
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_mipsel.deb
      Size/MD5 checksum:   118942 d71e0823fadaeaafff74f3dfa0691621

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_powerpc.deb
      Size/MD5 checksum:   150664 2b46df904ee41bfb43c3c375cecd97dd
    http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_powerpc.deb
      Size/MD5 checksum:   243472 ae29ca3aaca1c7b031eea79102315945
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_powerpc.deb
      Size/MD5 checksum:  1640526 f9fe8c3eda4eff4db90b3b8a93c10403
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_powerpc.deb
      Size/MD5 checksum:  1245292 4fb803a4dba48d506d0aff115fa516de
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_powerpc.deb
      Size/MD5 checksum:   124138 55b836d703e3d516fa2e75f018ddd8d8

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_s390.deb
      Size/MD5 checksum:   148640 bb07ba73b8e9d90b80fb1d36a1472db6
    http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_s390.deb
      Size/MD5 checksum:   246640 93d40c902692d06f1d3a2d145b10474b
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_s390.deb
      Size/MD5 checksum:  1025438 c0778b7435b21cf277a2656f134d47d4
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_s390.deb
      Size/MD5 checksum:  1240744 6da2e87d0e60701d03f3da1cc4bf8905
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_s390.deb
      Size/MD5 checksum:   127458 80cf6d496e27df3765257fd1303eceb9

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge5_sparc.deb
      Size/MD5 checksum:   147660 905b8cdc96289e709644da1addd5c7a3
    http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge5_sparc.deb
      Size/MD5 checksum:   236994 8385a7c13cc40517b179cf21689db383
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge5_sparc.deb
      Size/MD5 checksum:   996640 5d5cb641eca75a51659dad9f499673fa
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge5_sparc.deb
      Size/MD5 checksum:  1232354 c8f891808cc67cf1756fe68898baf607
    http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge5_sparc.deb
      Size/MD5 checksum:   118006 5a4880af8b078ef38b148ba37ac4221a



  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFEEU9EW5ql+IAeqTIRAoZnAKCbJdVu6YN/j5Yk5rORoN5W/DwPAgCfaatc
46jnCRyvOFWkZx+EwTDaluI=
=GO2K
-----END PGP SIGNATURE-----

    

- 漏洞信息 (F42714)

es263-network.txt (PacketStormID:F42714)
2005-12-31 00:00:00
Daniel Guido,Michael Aiello  michaelaiello.com
advisory,vulnerability
CVE-2005-3185,CVE-2005-4077
[点击下载]

Electric Sheep version 2.6.3 suffers from network related vulnerabilities due to libcurl issues.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Polytechnic University ISIS Security Advisory            PUISIS10212005
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                  http://isis.poly.edu/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~ Application: Electric Sheep v2.6.3
~    Severity: Medium-High
~       Title: Multiple Network-related Vulnerabilities in Electric Sheep
~        Date: October 20, 2005
~          ID: PUISIS10212005
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Summary
========
The lack of an authentication framework for downloaded sheep mpegs, as
well as its dependence on and vulnerabilities in cURL allows an
attacker to send and display arbitrary movie files in the Electric
Sheep client and perform arbitrary local and remote code execution.

Background
==========
"Electric Sheep is a free, open source screen saver run by thousands
of people all over the world. It can be installed on any ordinary PC
or Mac. When these computers "sleep", the screen saver comes on and
the computers communicate with each other by the internet to share
the work of creating morphing abstract animations known as "sheep."
http://electricsheep.org/

Description
===========
By spoofing the DNS entry for sheepserver.net or otherwise redirecting
the Electric Sheep client to a malicious sheep server, it is possible
to force the Electric Sheep client to download and display arbitrary
mpegs due to a lack of authentication of the sheep server and sheep
mpegs. At minimum, a rogue sheep server would need to respond to the
Electric Sheep client with list.gz, a list of sheep available for
download, and the referenced mpegs. To properly display the mpegs, they
need to contain special footer information which can be found at the
bottom of any pre-existing Electric Sheep mpegs.

Electric sheep uses cURL internally for interaction with the Electric
Sheep server. Two recent vulnerabilities in cURL can be exploited
through malicious interaction with the Electric Sheep client.

As in the previous vulnerability, spoofing the DNS entry of
sheepserver.net or otherwise redirecting the Electric Sheep client
to a malicious sheep server and replacing it with an appropriate HTTP
30x response can allow remote code execution through cURL due to an
NTLM buffer overflow vulnerability [1,2].

Calling the Electric Sheep client by command line, configuration file,
or otherwise with a malicious sheep server URL allows local code
execution through cURL due to a URL buffer overflow vulnerability.
In addition, by redirecting the Electric Sheep client to a rogue sheep
server and supplying a list of maliciously formatted URLs it is
possible to exploit the same cURL URL buffer overflow vulnerability
remotely. This is possible because the Electric Sheep client makes
direct system calls to the vulnerable cURL application from network
supplied input [3,4].

Impact
======
Spoofing the DNS entry for sheepserver.net or otherwise redirecting
the Electric Sheep client to a rogue sheep server, it is possible to
remotely control the video displayed or remotely execute code on all
Electric Sheep clients affected by such a redirection. Local code
execution is also possible due to a cURL vulnerability.

Workaround
==========
The vendor was notified on November 18, 2005. The vendor was extremely
responsive and cooperative in regards to these security issues. All
issues are fixed in the CVS HEAD of Electric Sheep client development
and will be included in the next release.

References
==========

  [ 1 ] libcurl NTLM Buffer Overflow Vulnerability
        http://curl.haxx.se/docs/adv_20051013.html

  [ 2 ] CVE-2005-3185
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185

  [ 3 ] libcurl URL Buffer Overflow Vulnerability
        http://curl.haxx.se/docs/adv_20051207.html

  [ 4 ] CVE-2005-4077
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4077

About
=====
The Information Systems and Internet Security (ISIS) Laboratory is an
NSF funded laboratory designed to facilitate hands-on experimentation
and project work in issues related to information security. It provides
the focus for multidisciplinary research and education in emerging
areas of security. Polytechnic University, an NSA Center of Academic
Excellence in Information Assurance Education, houses the lab.

These vulnerabilities were discovered during coursework performed for
"Penetration Testing & Vulnerability Analysis" offered at Polytechnic
University (http://www.poly.edu) during the Fall 2005 semester.

License
=======
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5

Authors
=======
Daniel Guido dguido@gmail.com
Michael Aiello http://www.michaelaiello.com/


    

- 漏洞信息

21509
cURL/libcURL Crafted URL Parsing Overflow
Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-12-07 2005-11-29
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

cURL / libcURL URL Parser Buffer Overflow Vulnerability
Boundary Condition Error 15756
Yes Yes
2005-12-07 12:00:00 2008-03-19 02:40:00
Stefan Esser of the Hardened-PHP Project is credited with the discovery of these vulnerabilities.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
SCO Unixware 7.1.4
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux ES 4
RedHat Desktop 4.0
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Enterprise Linux AS 4
OpenPKG OpenPKG 2.5
OpenPKG OpenPKG 2.4
OpenPKG OpenPKG 2.3
OpenPKG OpenPKG Current
OpenOffice OpenOffice 2.0.1
OpenOffice OpenOffice 2.0 Beta
OpenOffice OpenOffice 1.9.79
OpenOffice OpenOffice 1.1.52
OpenOffice OpenOffice 1.1.51
OpenOffice OpenOffice 1.1.4
OpenOffice OpenOffice 1.1.3
OpenOffice OpenOffice 1.1.2
OpenOffice OpenOffice 1.1.1
OpenOffice OpenOffice 1.1 .0
OpenOffice OpenOffice 1.0.3
OpenOffice OpenOffice 1.0.2
OpenOffice OpenOffice 1.0.1
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
Gentoo Linux
Electric Sheep Electric Sheep 2.6.3
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
Daniel Stenberg curl 7.15
Daniel Stenberg curl 7.14.1
Daniel Stenberg curl 7.14
Daniel Stenberg curl 7.13.2
Daniel Stenberg curl 7.13.1
Daniel Stenberg curl 7.13
Daniel Stenberg curl 7.13
Daniel Stenberg curl 7.12.3
Daniel Stenberg curl 7.12.2
Daniel Stenberg curl 7.12.1
Daniel Stenberg curl 7.12
Daniel Stenberg curl 7.11.2
Cosmicperl Directory Pro 10.0.3
Apple Mac OS X Server 10.5.2
Apple Mac OS X Server 10.5.1
Apple Mac OS X Server 10.4.11
Apple Mac OS X Server 10.4.10
Apple Mac OS X Server 10.4.9
Apple Mac OS X Server 10.4.8
Apple Mac OS X Server 10.4.7
Apple Mac OS X Server 10.4.6
Apple Mac OS X Server 10.4.5
Apple Mac OS X Server 10.4.4
Apple Mac OS X Server 10.4.3
Apple Mac OS X Server 10.4.2
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4
Apple Mac OS X Server 10.3.9
Apple Mac OS X Server 10.3.8
Apple Mac OS X Server 10.3.7
Apple Mac OS X Server 10.3.6
Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X Server 10.2.8
Apple Mac OS X Server 10.2.7
Apple Mac OS X Server 10.2.6
Apple Mac OS X Server 10.2.5
Apple Mac OS X Server 10.2.4
Apple Mac OS X Server 10.2.3
Apple Mac OS X Server 10.2.2
Apple Mac OS X Server 10.2.1
Apple Mac OS X Server 10.2
Apple Mac OS X Server 10.1.5
Apple Mac OS X Server 10.1.4
Apple Mac OS X Server 10.1.3
Apple Mac OS X Server 10.1.2
Apple Mac OS X Server 10.1.1
Apple Mac OS X Server 10.1
Apple Mac OS X Server 10.0
Apple Mac OS X Server 10.5
Apple Mac OS X 10.5.2
Apple Mac OS X 10.5.1
Apple Mac OS X 10.4.11
Apple Mac OS X 10.4.10
Apple Mac OS X 10.4.9
Apple Mac OS X 10.4.8
Apple Mac OS X 10.4.7
Apple Mac OS X 10.4.6
Apple Mac OS X 10.4.5
Apple Mac OS X 10.4.4
Apple Mac OS X 10.4.3
Apple Mac OS X 10.4.2
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4
Apple Mac OS X 10.3.9
Apple Mac OS X 10.3.8
Apple Mac OS X 10.3.7
Apple Mac OS X 10.3.6
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3
Apple Mac OS X 10.2.8
Apple Mac OS X 10.2.7
Apple Mac OS X 10.2.6
Apple Mac OS X 10.2.5
Apple Mac OS X 10.2.4
Apple Mac OS X 10.2.3
Apple Mac OS X 10.2.2
Apple Mac OS X 10.2.1
Apple Mac OS X 10.2
Apple Mac OS X 10.1.5
Apple Mac OS X 10.1.4
Apple Mac OS X 10.1.3
Apple Mac OS X 10.1.2
Apple Mac OS X 10.1.1
Apple Mac OS X 10.1
Apple Mac OS X 10.1
Apple Mac OS X 10.0.4
Apple Mac OS X 10.0.3
Apple Mac OS X 10.0.2
Apple Mac OS X 10.0.1
Apple Mac OS X 10.0 3
Apple Mac OS X 10.0
Apple Mac OS X 10.5
OpenOffice OpenOffice 2.0.2
Daniel Stenberg curl 7.15.1

- 不受影响的程序版本

OpenOffice OpenOffice 2.0.2
Daniel Stenberg curl 7.15.1

- 漏洞讨论

cURL and libcURL are prone to a buffer-overflow vulnerability. This issue is due to a failure in the library to perform proper bounds checks on user-supplied data before using it in a finite-sized buffer.

The issues occur when the URL parser function handles an excessively long URL string.

An attacker can exploit this issue to crash the affected library, effectively denying service. Arbitrary code execution may also be possible, which may facilitate a compromise of the underlying system.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案

Please see the referenced advisories for more information.


OpenOffice OpenOffice 1.0.1

OpenOffice OpenOffice 1.1.51

Apple Mac OS X 10.4.11

Apple Mac OS X Server 10.4.11

Apple Mac OS X 10.5.2

Apple Mac OS X Server 10.5.2

Daniel Stenberg curl 7.11.2

Daniel Stenberg curl 7.13.1

Daniel Stenberg curl 7.14

Daniel Stenberg curl 7.15

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站