CURL-CVE-2018-1000120
- Source
- https://curl.se/docs/CVE-2018-1000120.html
- Import Source
- https://curl.se/docs/CURL-CVE-2018-1000120.json
- Aliases
- Published
- 2018-03-14T08:00:00Z
- Modified
- 2024-01-25T02:42:28.223539Z
- Details
-
curl can be fooled into writing a zero byte out of bounds.
This bug can trigger when curl is told to work on an FTP URL, with the setting to only issue a single CWD command (
--ftp-method singlecwdor the libcurl alternativeCURLOPT_FTP_FILEMETHOD).curl then URL-decodes the given path, calls strlen() on the result and deducts the length of the file name part to find the end of the directory within the buffer. It then writes a zero byte on that index, in a buffer allocated on the heap.
If the directory part of the URL contains a "%00" sequence, the directory length might end up shorter than the file name path, making the calculation
size_t index = directory_len - filepart_lenend up with a huge index variable for where the zero byte gets stored:heap_buffer[index] = 0. On several architectures that huge index will wrap and work as a negative value, thus overwriting memory before the intended heap buffer.By using different file part lengths and putting %00 in different places in the URL, an attacker that can control what paths a curl-using application uses can write that zero byte on different indexes.
- References
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced7.12.3Fixed7.59.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events