FreeBSD : curl -- URL buffer overflow vulnerability (9b4facec-6761-11da-99f6-00123ffe8333)

This script is Copyright (C) 2006-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

A Project cURL Security Advisory reports :

libcurl's URL parser function can overflow a malloced buffer in two
ways, if given a too long URL.

1 - pass in a URL with no protocol (like 'http://') prefix, using no
slash and the string is 256 bytes or longer. This leads to a single
zero byte overflow of the malloced buffer.

2 - pass in a URL with only a question mark as separator (no slash)
between the host and the query part of the URL. This leads to a single
zero byte overflow of the malloced buffer.

Both overflows can be made with the same input string, leading to two
single zero byte overwrites.

The affected flaw cannot be triggered by a redirect, but the long URL
must be passed in 'directly' to libcurl. It makes this a 'local'
problem. Of course, lots of programs may still pass in user-provided
URLs to libcurl without doing much syntax checking of their own,
allowing a user to exploit this vulnerability.

See also :

http://curl.haxx.se/docs/adv_20051207.html
http://www.hardened-php.net/advisory_242005.109.html
http://www.nessus.org/u?4ee09105

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 4.6
(CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 3.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 21483 (freebsd_pkg_9b4facec676111da99f600123ffe8333.nasl)

Bugtraq ID: 15756

CVE ID: CVE-2005-4077

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now