[DOWNLOAD TEXT-VERSION] Advisory 06/2004 libneon date parsing vulnerability       Release Date: 2004/05/19 Author: Stefan Esser [s.esser@ematters.de] Application: libneon <= 0.24.5 Severity: A vulnerability within a date parsing function allows arbitrary code execution Risk: Medium Reference: http://security.e-matters.de/advisories/062004.html Last Modified:   2004/05/19         Overview Quote from: http://www.webdav.org/neon "neon is an HTTP and WebDAV client library, with a C interface. Featuring: * High-level interface to HTTP and WebDAV methods (PUT, GET, HEAD etc) * Low-level interface to HTTP request handling, to allow implementing... * persistent connections * RFC2617 basic and digest authentication (including auth-int, md5-sess) * Proxy support (including basic/digest authentication) * SSL/TLS support using OpenSSL (including client certificate support) * Generic WebDAV 207 XML response handling mechanism * XML parsing using the expat or libxml parsers * Easy generation of error messages from 207 error responses * WebDAV resource manipulation: MOVE, COPY, DELETE, MKCOL. * WebDAV metadata support: set and remove properties, query any set... * autoconf macros supplied for easily embedding neon directly inside..." A vulnerability within a libneon date parsing function could cause a heap overflow which could lead to remote code execution, depending on the application using libneon. OpenOffice and Subversion *DO NOT* use this function and are therefore not vulnerable to THIS problem.         Details While scanning the libneon source code for common programming errors an unsafe usage of sscanf() was discovered within one of the date parsing functions. When a special crafted date string is passed to the ne_rfc1036_parse() it may trigger a sscanf() string overflow into static heap variables. Exploitability heavily depends on the application linked against neon but is considered trivial in cases where an out-of-memory condition can be triggered, because the overflowing variable is placed infront of the libneon out-of-memory callback function pointer. Please notice that your application could be vulnerable even if you do not use ne_rfc1036_parse() directly, because its functionality is used by several higher level API functions.         Proof of Concept e-matters is not going to release an exploit for this vulnerability to the public.         Disclosure Timeline 02 May 2004 Neon developers were contacted by email 04 May 2004 Joe Orton has fixed the bug within neon and waits for the public disclosure date 19 May 2004 Coordinated Public Disclosure         CVE Information The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0398 to this issue.         Recommendation Because Subversion and OpenOffice, which are the most important libneon users, are not using the vulnerable function the issue is rated with a medium severity. Nevertheless upgrading your neon version is recommended because other applications could be vulnerable and could expose the vulnerable function to the outside world.         GPG-Key [DOWNLOAD NEW GPG-KEY] pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC         Copyright 2004 Stefan Esser. All rights reserved.