Advisory EM06/2004: libneon date parsing vulnerability

                           e-matters GmbH

-= Security Advisory =-

Advisory: libneon date parsing vulnerability
Release Date: 2004/05/19
Last Modified: 2004/05/19
Author: Stefan Esser []

Application: libneon <= 0.24.5
Severity: A vulnerability within a date parsing function
allows arbitrary code execution
Risk: Medium
Vendor Status: Vendor is releasing a bugfixed version.


Quote from:

"neon is an HTTP and WebDAV client library, with a C interface. Featuring:

* High-level interface to HTTP and WebDAV methods (PUT, GET, HEAD etc)
* Low-level interface to HTTP request handling, to allow implementing...
* persistent connections
* RFC2617 basic and digest authentication (including auth-int, md5-sess)
* Proxy support (including basic/digest authentication)
* SSL/TLS support using OpenSSL (including client certificate support)
* Generic WebDAV 207 XML response handling mechanism
* XML parsing using the expat or libxml parsers
* Easy generation of error messages from 207 error responses
* WebDAV resource manipulation: MOVE, COPY, DELETE, MKCOL.
* WebDAV metadata support: set and remove properties, query any set...
* autoconf macros supplied for easily embedding neon directly inside..."

A vulnerability within a libneon date parsing function could cause a
heap overflow which could lead to remote code execution, depending on
the application using libneon.

OpenOffice and Subversion *DO NOT* use this function and are therefore
not vulnerable to THIS problem.


While scanning the libneon source code for common programming errors
an unsafe usage of sscanf() was discovered within one of the date
parsing functions.

When a special crafted date string is passed to the ne_rfc1036_parse()
it may trigger a sscanf() string overflow into static heap variables.
Exploitability heavily depends on the application linked against neon
but is considered trivial in cases where an out-of-memory condition
can be triggered, because the overflowing variable is placed infront
of the libneon out-of-memory callback function pointer.

Please notice that your application could be vulnerable even if you
do not use ne_rfc1036_parse() directly, because its functionality
is used by several higher level API functions.

Proof of Concept:

e-matters is not going to release an exploit for this vulnerability to
the public.

Disclosure Timeline:

02. May 2004 - Neon developers were contacted by email
04. May 2004 - Joe Orton has fixed the bug within neon and waits
for the public disclosure date
19. May 2004 - Coordinated Public Disclosure

CVE Information:

The Common Vulnerabilities and Exposures project ( has
assigned the name CAN-2004-0398 to this issue.


Because Subversion and OpenOffice, which are the most important libneon
users, are not using the vulnerable function the issue is rated with a
medium severity. Nevertheless upgrading your neon version is recommended
because other applications could be vulnerable and could expose the
vulnerable function to the outside world.


pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam
Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC

Copyright 2004 Stefan Esser. All rights reserved.

© Hardened PHP Project