Advisory EM06/2004: libneon date parsing vulnerability



                           e-matters GmbH
www.e-matters.de

-= Security Advisory =-



Advisory: libneon date parsing vulnerability
Release Date: 2004/05/19
Last Modified: 2004/05/19
Author: Stefan Esser [s.esser@hardened-php.net]

Application: libneon <= 0.24.5
Severity: A vulnerability within a date parsing function
allows arbitrary code execution
Risk: Medium
Vendor Status: Vendor is releasing a bugfixed version.
Reference: http://security.e-matters.de/advisories/062004.html


Overview:

Quote from: http://www.webdav.org/neon

"neon is an HTTP and WebDAV client library, with a C interface. Featuring:

* High-level interface to HTTP and WebDAV methods (PUT, GET, HEAD etc)
* Low-level interface to HTTP request handling, to allow implementing...
* persistent connections
* RFC2617 basic and digest authentication (including auth-int, md5-sess)
* Proxy support (including basic/digest authentication)
* SSL/TLS support using OpenSSL (including client certificate support)
* Generic WebDAV 207 XML response handling mechanism
* XML parsing using the expat or libxml parsers
* Easy generation of error messages from 207 error responses
* WebDAV resource manipulation: MOVE, COPY, DELETE, MKCOL.
* WebDAV metadata support: set and remove properties, query any set...
* autoconf macros supplied for easily embedding neon directly inside..."

A vulnerability within a libneon date parsing function could cause a
heap overflow which could lead to remote code execution, depending on
the application using libneon.

OpenOffice and Subversion *DO NOT* use this function and are therefore
not vulnerable to THIS problem.


Details:

While scanning the libneon source code for common programming errors
an unsafe usage of sscanf() was discovered within one of the date
parsing functions.

When a special crafted date string is passed to the ne_rfc1036_parse()
it may trigger a sscanf() string overflow into static heap variables.
Exploitability heavily depends on the application linked against neon
but is considered trivial in cases where an out-of-memory condition
can be triggered, because the overflowing variable is placed infront
of the libneon out-of-memory callback function pointer.

Please notice that your application could be vulnerable even if you
do not use ne_rfc1036_parse() directly, because its functionality
is used by several higher level API functions.


Proof of Concept:

e-matters is not going to release an exploit for this vulnerability to
the public.


Disclosure Timeline:

02. May 2004 - Neon developers were contacted by email
04. May 2004 - Joe Orton has fixed the bug within neon and waits
for the public disclosure date
19. May 2004 - Coordinated Public Disclosure


CVE Information:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0398 to this issue.


Recommendation:

Because Subversion and OpenOffice, which are the most important libneon
users, are not using the vulnerable function the issue is rated with a
medium severity. Nevertheless upgrading your neon version is recommended
because other applications could be vulnerable and could expose the
vulnerable function to the outside world.


GPG-Key:

http://security.e-matters.de/gpg_key.asc

pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam
Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC


Copyright 2004 Stefan Esser. All rights reserved.

© Hardened PHP Project