Critical cURL Buffer Overflow Vulnerability
cURL is a free, widely-used, open-source command line tool and library (libcurl) used for transferring data using URL syntax.
Last week a critical buffer overflow vulnerability was discovered and patched in the cURL library. The vulnerability is present when an application is using cURL or libcurl over the POP3, SMTP, or IMAP protocols. The vulnerability lies in the function used to handle SASL DIGEST-MD5 authentication, and the versions affected by this are 7.26.0 through 7.28.1. Here is a detailed description of the vulnerability:
When negotiating SASL DIGEST-MD5 authentication, the function Curl_sasl_create_digest_md5_message() uses the data provided from the server without doing the proper length checks and that data is then appended to a local fixed-size buffer on the stack. This vulnerability can be exploited by someone who is in control of a server that a libcurl based program is accessing with POP3, SMTP or IMAP. For applications that accept user provided URLs, it is also thinkable that a malicious user would feed an application with a URL to a server hosting code targeting this flaw. From SecLists
The group that discovered this vulnerability has provided an explanation of the workflow of this exploit. They've stated that, even though this vulnerability requires POP3, IMAP, and SMTP protocols, HTTP URLs can also be used as an attack vector since cURL allows for redirections (for instance, responding with a 302 code and redirecting to something like pop3://x:firstname.lastname@example.org). View their full explanation here:
One can prevent these redirections, however, by using the CURLOPT_FOLLOWLOCATION and CURLOPT_REDIR_PROTOCOLS parameters to disable following 'location' headers and limit redirect protocols.
To rectify this issue, libcurl 7.29.0 was released last Wednesday, however it is also possible to secure your code by setting the CURLOPT_PROTOCOLS parameter to disable the vulnerable protocols.
Since cURL is so widely used, it is very important that developers update their library because this is a very critical vulnerability.