#1193 cURL/libcurl Segmentation Fault due to a NULL pointer in Curl_sasl_create_digest_md5_message()

closed-fixed
nobody
None
5
2014-08-25
2013-02-11
Saran Neti
No

While trying to reproduce libcurl SASL buffer overflow (as noted in advisory: http://curl.haxx.se/docs/adv_20130206.html) using SMTP, I encountered a separate problem that causes cURL to terminate when processing base64 encoded Digest-MD5 challenges.

Program received signal SIGSEGV, Segmentation fault.
__strstr_sse2 (haystack_start=0x0, needle_start=0x7ffff7bcf9ae "nonce=\"") at ../string/strstr.c:63
(gdb) bt
0 __strstr_sse2 (haystack_start=0x0, needle_start=0x7ffff7bcf9ae "nonce=\"") at ../string/strstr.c:63
1 0x00007ffff7bc624f in sasl_digest_get_key_value () from /usr/local/lib/libcurl.so.4
2 0x00007ffff7bc68d9 in Curl_sasl_create_digest_md5_message () from usr/local/lib/libcurl.so.4
3 0x00007ffff7bc1247 in smtp_statemach_act () from /usr/local/lib/libcurl.so.4
4 0x00007ffff7bc02c6 in smtp_multi_statemach () from /usr/local/lib/libcurl.so.4
5 0x00007ffff7bb4adf in multi_runsingle () from /usr/local/lib/libcurl.so.4
6 0x00007ffff7bb54e5 in curl_multi_perform () from /usr/local/lib/libcurl.so.4
7 0x00007ffff7bae3ed in curl_easy_perform () from /usr/local/lib/libcurl.so.4
8 0x0000000000409e87 in operate ()
9 0x000000000040229a in main ()

The following message exchange between cURL and smtp server should reproduce the problem:

< 220 dhcp164.vrt.telus.com ESMTP (Ubuntu)

EHLO .
< 250-dhcp164.vrt.telus.com Hello .
< 250 AUTH DIGEST-MD5
AUTH DIGEST-MD5
< 334
< eA==

When the server sends any base 64 encoded string, in this case "eA==", cURL crashes.
The problem is because "chlg" is returned as NULL after function call to Curl_base64_decode() in function Curl_sasl_create_digest_md5_message() in libs/curl_sasl.c.

Tested using:
curl 7.29.1-DEV (x86_64-unknown-linux-gnu) libcurl/7.29.1-DEV cURL -L was used to connect to a http url containing the smtp redirect.

Compiled from:
git rev-parse HEAD: 463082bea42d8bea751303da340218a18fb67e85

Patch:
diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
index d07387d..4d13263 100644
--- a/lib/curl_sasl.c
+++ b/lib/curl_sasl.c
@@ -283,6 +283,9 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
if(result)
return result;

  • if(chlg == NULL) {
  • return CURLE_LOGIN_DENIED;
  • }
    / Retrieve nonce string from the challenge /
    if(!sasl_digest_get_key_value(chlg, "nonce=\"", nonce,
    sizeof(nonce), '\"')) {

I'm not on any mailing list. Please contact me using email directly if I can be of any further assistance.

Cheers,
Saran Neti,
Vulnerability Researcher, Telus Security Labs

Discussion

  • Daniel Stenberg

    Daniel Stenberg - 2013-02-12

    Thanks, this is now fixed in git with commit e6c1e773d9e506e.

     
  • Daniel Stenberg

    Daniel Stenberg - 2013-02-12
    • status: open --> closed-fixed
    • milestone: -->
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks