CVE-2013-0249
published 2013-03-08CVE-2013-0249: Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating…
PriorityP258high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
22.91%
97.5th percentile
Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| debian | curl | < curl 7.29.0-1 (bookworm) | curl 7.29.0-1 (bookworm) |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | >= 0 < 7.29.0-1 | 7.29.0-1 |
| haxx | curl | >= 0 < 7.29.0-1 | 7.29.0-1 |
| haxx | curl | >= 0 < 7.29.0-1 | 7.29.0-1 |
| haxx | curl | >= 0 < 7.29.0-1 | 7.29.0-1 |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandrealm="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",nonce="OA6MG9tEQGm2hh",qop="auth",algorithm=md5-sess,charset=utf-8↗
othercmVhbG09IkFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBIixub25jZT0iT0E2TUc5dEVRR20yaGgiLHFvcD0iYXV0aCIsYWxnb3JpdGhtPW1kNS1zZXNzLGNoYXJzZXQ9dXRmLTg=↗
- →Detect exploit attempts by monitoring POP3 traffic on port 110/TCP for SASL DIGEST-MD5 challenge responses containing an oversized 'realm' parameter (>= 128 bytes of padding). ↗
- →Monitor for HTTP 302 redirects to POP3/SMTP/IMAP URLs (e.g., Location: pop3://...) which may be used to redirect curl clients into the vulnerable SASL DIGEST-MD5 code path. ↗
- →Look for SASL DIGEST-MD5 server challenges (base64-encoded) sent over POP3/SMTP/IMAP that decode to a realm value significantly longer than expected; the PoC uses 128 'A' characters as the realm. ↗
- →Identify vulnerable libcurl versions 7.26.0 through 7.28.1 in use; the crash manifests in Curl_sasl_create_digest_md5_message() with a stack smash (return address overwritten with 0x4141414141414141). ↗
- →The attack chain begins with a crafted HTTP response redirecting to a POP3 URL; detect curl processes spawning connections to port 110/TCP following an HTTP redirect. ↗
- ·Disabling non-HTTP(S) protocols in libcurl via CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS mitigates the attack vector entirely, as the vulnerability is only reachable via POP3, SMTP, or IMAP. ↗
- ·Red Hat Enterprise Linux 5 and 6 ship versions of curl that are not affected; detection/patching focus should be on curl 7.26.0–7.28.1. ↗
- ·Default compiler options (e.g., stack canaries, ASLR) on affected Ubuntu releases reduce the vulnerability from RCE to denial of service in practice. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mj69-wpmp-9c9f: Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl
ghsa_unreviewed·2022-05-05
CVE-2013-0249 [HIGH] CWE-119 GHSA-mj69-wpmp-9c9f: Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl
Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message.
OSV
CVE-2013-0249: Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl
osv·2013-03-08·CVSS 7.5
CVE-2013-0249 [HIGH] CVE-2013-0249: Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl
Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message.
Ubuntu
curl vulnerability
vendor_ubuntu·2013-02-12
CVE-2013-0249 curl vulnerability
Title: curl vulnerability
Summary: curl could be made to crash or run programs if it opened a malicious URL.
It was discovered that curl incorrectly handled SASL authentication when
communicating over POP3, SMTP or IMAP. If a user or automated system were
tricked into processing a specially crafted URL, an attacker could cause
a denial of service, or possibly execute arbitrary code. The default
compiler options for affected releases should reduce the vulnerability to a
denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
curl: Stack-based buffer overflow when negotiating SASL DIGEST-MD5 authentication with IMAP, POP3 and SMTP protocols
vendor_redhat·2013-02-06·CVSS 7.5
CVE-2013-0249 [HIGH] CWE-121 curl: Stack-based buffer overflow when negotiating SASL DIGEST-MD5 authentication with IMAP, POP3 and SMTP protocols
curl: Stack-based buffer overflow when negotiating SASL DIGEST-MD5 authentication with IMAP, POP3 and SMTP protocols
Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message.
Statement: Not vulnerable. This issue did not affect the versions of curl as shipped with Red Hat Enterprise Linux 5 and 6.
Package: curl (Red Hat Enterprise Linux 5) - Not affected
Package: curl (Red Hat Enterprise Linux 6) - Not affected
Debian
CVE-2013-0249: curl - Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function ...
vendor_debian·2013·CVSS 7.5
CVE-2013-0249 [HIGH] CVE-2013-0249: curl - Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function ...
Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message.
Scope: local
bookworm: resolved (fixed in 7.29.0-1)
bullseye: resolved (fixed in 7.29.0-1)
forky: resolved (fixed in 7.29.0-1)
sid: resolved (fixed in 7.29.0-1)
trixie: resolved (fixed in 7.29.0-1)
No detection rules found.
Bugzilla
CVE-2013-0249 curl: Stack-based buffer overflow when negotiating SASL DIGEST-MD5 authentication with IMAP, POP3 and SMTP protocols [fedora-18]
bugzilla·2013-02-06·CVSS 7.5
CVE-2013-0249 [HIGH] CVE-2013-0249 curl: Stack-based buffer overflow when negotiating SASL DIGEST-MD5 authentication with IMAP, POP3 and SMTP protocols [fedora-18]
CVE-2013-0249 curl: Stack-based buffer overflow when negotiating SASL DIGEST-MD5 authentication with IMAP, POP3 and SMTP protocols [fedora-18]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and t
Bugzilla
CVE-2013-0249 curl: Stack-based buffer overflow when negotiating SASL DIGEST-MD5 authentication with IMAP, POP3 and SMTP protocols
bugzilla·2013-02-01·CVSS 7.5
CVE-2013-0249 [HIGH] CVE-2013-0249 curl: Stack-based buffer overflow when negotiating SASL DIGEST-MD5 authentication with IMAP, POP3 and SMTP protocols
CVE-2013-0249 curl: Stack-based buffer overflow when negotiating SASL DIGEST-MD5 authentication with IMAP, POP3 and SMTP protocols
A stack-based buffer overflow flaw was found in the way SASL implementation of cURL, a command line tool for transferring data with URL syntax, performed DIGEST-MD5 authentication negotiation for IMAP, POP3, and SMTP protocols. A rogue server could use this flaw to cause curl executable / application using the libcurl library it to crash or, potentially, execute arbitrary code with the privileges of the user running the curl binary / the application.
Discussion:
Created attachment 691585
Proposed upstream patch to correct this issue
---
This issue did not affect the versions of the curl package, as shipped with Red Hat Enterprise Linux 5 and 6.
--
This i
http://blog.volema.com/curl-rce.htmlhttp://curl.haxx.se/docs/adv_20130206.htmlhttp://lists.apple.com/archives/security-announce/2013/Oct/msg00004.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-February/099140.htmlhttp://nakedsecurity.sophos.com/2013/02/10/anatomy-of-a-vulnerability-curl-web-download-toolkit-holed-by-authentication-bug/http://packetstormsecurity.com/files/120147/cURL-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/120170/Slackware-Security-Advisory-curl-Updates.htmlhttp://www.exploit-db.com/exploits/24487http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.htmlhttp://www.osvdb.org/89988http://www.securityfocus.com/bid/57842http://www.securitytracker.com/id/1028093http://www.ubuntu.com/usn/USN-1721-1http://blog.volema.com/curl-rce.htmlhttp://curl.haxx.se/docs/adv_20130206.htmlhttp://lists.apple.com/archives/security-announce/2013/Oct/msg00004.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-February/099140.htmlhttp://nakedsecurity.sophos.com/2013/02/10/anatomy-of-a-vulnerability-curl-web-download-toolkit-holed-by-authentication-bug/http://packetstormsecurity.com/files/120147/cURL-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/120170/Slackware-Security-Advisory-curl-Updates.htmlhttp://www.exploit-db.com/exploits/24487http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.htmlhttp://www.osvdb.org/89988http://www.securityfocus.com/bid/57842http://www.securitytracker.com/id/1028093http://www.ubuntu.com/usn/USN-1721-1
2013-03-08
Published