|
|
|
|
|
|
|
|
|
[DOWNLOAD TEXT-VERSION] |
|
Advisory 06/2004 |
libneon date parsing vulnerability |
|
| |
|
Overview
Quote from: http://www.webdav.org/neon
"neon is an HTTP and WebDAV client library, with a C interface. Featuring:
* High-level interface to HTTP and WebDAV methods (PUT, GET, HEAD etc)
* Low-level interface to HTTP request handling, to allow implementing...
* persistent connections
* RFC2617 basic and digest authentication (including auth-int, md5-sess)
* Proxy support (including basic/digest authentication)
* SSL/TLS support using OpenSSL (including client certificate support)
* Generic WebDAV 207 XML response handling mechanism
* XML parsing using the expat or libxml parsers
* Easy generation of error messages from 207 error responses
* WebDAV resource manipulation: MOVE, COPY, DELETE, MKCOL.
* WebDAV metadata support: set and remove properties, query any set...
* autoconf macros supplied for easily embedding neon directly inside..."
A vulnerability within a libneon date parsing function could cause a
heap overflow which could lead to remote code execution, depending on
the application using libneon.
OpenOffice and Subversion *DO NOT* use this function and are therefore
not vulnerable to THIS problem.
| |
|
Details
While scanning the libneon source code for common programming errors
an unsafe usage of sscanf() was discovered within one of the date
parsing functions.
When a special crafted date string is passed to the ne_rfc1036_parse()
it may trigger a sscanf() string overflow into static heap variables.
Exploitability heavily depends on the application linked against neon
but is considered trivial in cases where an out-of-memory condition
can be triggered, because the overflowing variable is placed infront
of the libneon out-of-memory callback function pointer.
Please notice that your application could be vulnerable even if you
do not use ne_rfc1036_parse() directly, because its functionality
is used by several higher level API functions.
| |
|
Proof of Concept
e-matters is not going to release an exploit for this
vulnerability to the public.
| |
|
Disclosure Timeline
02 May 2004 | Neon developers were contacted by email |
04 May 2004 | Joe Orton has fixed the bug within neon and waits for the public disclosure date |
19 May 2004 | Coordinated Public Disclosure |
| |
|
CVE Information
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0398 to this issue. | |
|
Recommendation
Because Subversion and OpenOffice, which are the most important libneon
users, are not using the vulnerable function the issue is rated with a
medium severity. Nevertheless upgrading your neon version is recommended
because other applications could be vulnerable and could expose the
vulnerable function to the outside world.
| |
|
GPG-Key
[DOWNLOAD NEW GPG-KEY]
pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam
Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC
| |
|
Copyright 2004 Stefan Esser. All rights reserved. |
|