CURL-CVE-2018-1000120

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2018-1000120.html

Import Source

https://curl.se/docs/CURL-CVE-2018-1000120.json

JSON Data

https://api.test.osv.dev/v1/vulns/CURL-CVE-2018-1000120

Aliases

Published

2018-03-14T08:00:00Z

Modified

2024-06-07T13:53:51Z

Summary

FTP path trickery leads to NIL byte out of bounds write

Details

curl can be fooled into writing a zero byte out of bounds.

This bug can trigger when curl is told to work on an FTP URL, with the setting to only issue a single CWD command (--ftp-method singlecwd or the libcurl alternative CURLOPT_FTP_FILEMETHOD).

curl then URL-decodes the given path, calls strlen() on the result and deducts the length of the filename part to find the end of the directory within the buffer. It then writes a zero byte on that index, in a buffer allocated on the heap.

If the directory part of the URL contains a "%00" sequence, the directory length might end up shorter than the filename path, making the calculation size_t index = directory_len - filepart_len end up with a huge index variable for where the zero byte gets stored: heap_buffer[index] = 0. On several architectures that huge index wraps and works as a negative value, thus overwriting memory before the intended heap buffer.

By using different file part lengths and putting %00 in different places in the URL, an attacker that can control what paths a curl-using application uses can write that zero byte on different indexes.

Database specific

{
    "URL": "https://curl.se/docs/CVE-2018-1000120.json",
    "CWE": {
        "desc": "Heap-based Buffer Overflow",
        "id": "CWE-122"
    },
    "www": "https://curl.se/docs/CVE-2018-1000120.html",
    "affects": "both",
    "severity": "High",
    "package": "curl",
    "last_affected": "7.58.0"
}

References

Credits

- Duy Phan Thanh - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.12.3

Fixed

7.59.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

6e1e9caa32da099569bb95e64faf0b5f3cf103b5

Fixed

535432c0adb62fe167ec09621500470b6fa4eb0f

Affected versions

7.*

7.12.3

7.13.0

7.13.1

7.13.2

7.14.0

7.14.1

7.15.0

7.15.1

7.15.2

7.15.3

7.15.4

7.15.5

7.16.0

7.16.1

7.16.2

7.16.3

7.16.4

7.17.0

7.17.1

7.18.0

7.18.1

7.18.2

7.19.0

7.19.1

7.19.2

7.19.3

7.19.4

7.19.5

7.19.6

7.19.7

7.20.0

7.20.1

7.21.0

7.21.1

7.21.2

7.21.3

7.21.4

7.21.5

7.21.6

7.21.7

7.22.0

7.23.0

7.23.1

7.24.0

7.25.0

7.26.0

7.27.0

7.28.0

7.28.1

7.29.0

7.30.0

7.31.0

7.32.0

7.33.0

7.34.0

7.35.0

7.36.0

7.37.0

7.37.1

7.38.0

7.39.0

7.40.0

7.41.0

7.42.0

7.42.1

7.43.0

7.44.0

7.45.0

7.46.0

7.47.0

7.47.1

7.48.0

7.49.0

7.49.1

7.50.0

7.50.1

7.50.2

7.50.3

7.51.0

7.52.0

7.52.1

7.53.0

7.53.1

7.54.0

7.54.1

7.55.0

7.55.1

7.56.0

7.56.1

7.57.0

7.58.0

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "signature_version": "v1",
        "id": "CURL-CVE-2018-1000120-1a41fdc7",
        "digest": {
            "line_hashes": [
                "186785845436151373612249911977958489167",
                "139368412014933340594086933420174292978",
                "70225530077095739146651377461514758151",
                "315143483916214608334710777218089290124",
                "330558257654468377878934021755801694908",
                "254969999324771221931386190909434168886",
                "314505041855647615494139870984025356690",
                "193603554521551770788174899501257487744",
                "218104536554178230123180371501278426620",
                "249311429039464347119097856005670027110",
                "1949081060692883523800352474588507207",
                "213361387690354360733145989391887781117",
                "208717138941869647486339912054043560965",
                "269526386197135474816625635309184114445",
                "66234633984291063582401520848155751934",
                "309919340248357245579399319652351958555"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/curl/curl.git/commit/535432c0adb62fe167ec09621500470b6fa4eb0f",
        "deprecated": false,
        "target": {
            "file": "lib/ftp.c"
        }
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "id": "CURL-CVE-2018-1000120-3930517d",
        "digest": {
            "length": 925.0,
            "function_hash": "165261537492784234712649842191490061433"
        },
        "source": "https://github.com/curl/curl.git/commit/535432c0adb62fe167ec09621500470b6fa4eb0f",
        "deprecated": false,
        "target": {
            "file": "lib/ftp.c",
            "function": "ftp_state_list"
        }
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "id": "CURL-CVE-2018-1000120-3dc55c90",
        "digest": {
            "length": 3107.0,
            "function_hash": "53816560832323379067076410399629338950"
        },
        "source": "https://github.com/curl/curl.git/commit/535432c0adb62fe167ec09621500470b6fa4eb0f",
        "deprecated": false,
        "target": {
            "file": "lib/ftp.c",
            "function": "ftp_parse_url_path"
        }
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "id": "CURL-CVE-2018-1000120-e7d820bb",
        "digest": {
            "length": 4608.0,
            "function_hash": "250530457694557457073913850752791544424"
        },
        "source": "https://github.com/curl/curl.git/commit/535432c0adb62fe167ec09621500470b6fa4eb0f",
        "deprecated": false,
        "target": {
            "file": "lib/ftp.c",
            "function": "ftp_done"
        }
    }
]