Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2017-1000254

Published: 06/10/2017 Updated: 07/11/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Subscribe to Libcurl

Vulnerability Summary

libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

haxx libcurl 7.9.5

haxx libcurl 7.9.1

haxx libcurl 7.19.0

haxx libcurl 7.19.6

haxx libcurl 7.8

haxx libcurl 7.9.6

haxx libcurl 7.7.2

haxx libcurl 7.21.2

haxx libcurl 7.11.2

haxx libcurl 7.37.0

haxx libcurl 7.40.0

haxx libcurl 7.17.1

haxx libcurl 7.19.4

haxx libcurl 7.30.0

haxx libcurl 7.25.0

haxx libcurl 7.12.0

haxx libcurl 7.21.3

haxx libcurl 7.16.4

haxx libcurl 7.7.1

haxx libcurl 7.12.3

haxx libcurl 7.8.1

haxx libcurl 7.33.0

haxx libcurl 7.18.0

haxx libcurl 7.23.0

haxx libcurl 7.19.1

haxx libcurl 7.26.0

haxx libcurl 7.36.0

haxx libcurl 7.9.4

haxx libcurl 7.10.5

haxx libcurl 7.10.2

haxx libcurl 7.15.2

haxx libcurl 7.16.0

haxx libcurl 7.16.2

haxx libcurl 7.34.0

haxx libcurl 7.31.0

haxx libcurl 7.15.5

haxx libcurl 7.35.0

haxx libcurl 7.22.0

haxx libcurl 7.20.0

haxx libcurl 7.7.3

haxx libcurl 7.9.2

haxx libcurl 7.21.0

haxx libcurl 7.14.1

haxx libcurl 7.28.0

haxx libcurl 7.11.1

haxx libcurl 7.18.2

haxx libcurl 7.13.0

haxx libcurl 7.21.5

haxx libcurl 7.15.1

haxx libcurl 7.19.3

haxx libcurl 7.17.0

haxx libcurl 7.24.0

haxx libcurl 7.13.1

haxx libcurl 7.10.8

haxx libcurl 7.27.0

haxx libcurl 7.9

haxx libcurl 7.15.3

haxx libcurl 7.19.7

haxx libcurl 7.12.1

haxx libcurl 7.10.6

haxx libcurl 7.42.1

haxx libcurl 7.10.3

haxx libcurl 7.41.0

haxx libcurl 7.23.1

haxx libcurl 7.21.6

haxx libcurl 7.19.5

haxx libcurl 7.9.7

haxx libcurl 7.42.0

haxx libcurl 7.14.0

haxx libcurl 7.10

haxx libcurl 7.21.7

haxx libcurl 7.21.1

haxx libcurl 7.38.0

haxx libcurl 7.10.4

haxx libcurl 7.16.3

haxx libcurl 7.9.3

haxx libcurl 7.13.2

haxx libcurl 7.15.4

haxx libcurl 7.20.1

haxx libcurl 7.11.0

haxx libcurl 7.16.1

haxx libcurl 7.32.0

haxx libcurl 7.29.0

haxx libcurl 7.7

haxx libcurl 7.10.1

haxx libcurl 7.37.1

haxx libcurl 7.18.1

haxx libcurl 7.10.7

haxx libcurl 7.9.8

haxx libcurl 7.28.1

haxx libcurl 7.12.2

haxx libcurl 7.39

haxx libcurl 7.15.0

haxx libcurl 7.21.4

haxx libcurl 7.19.2

haxx libcurl 7.52.0

haxx libcurl 7.52.1

haxx libcurl 7.53.0

haxx libcurl 7.53.1

haxx libcurl 7.54.0

haxx libcurl 7.54.1

haxx libcurl 7.50.3

haxx libcurl 7.51.0

haxx libcurl 7.43.0

haxx libcurl 7.44.0

haxx libcurl 7.45.0

haxx libcurl 7.46.0

haxx libcurl 7.47.0

haxx libcurl 7.47.1

haxx libcurl 7.48.0

haxx libcurl 7.49.0

haxx libcurl 7.49.1

haxx libcurl 7.50.0

haxx libcurl 7.50.1

haxx libcurl 7.50.2

haxx libcurl 7.55.1

haxx libcurl 7.55.0

Vendor Advisories

Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 security update
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2429 security update Type/Severity Security Advisory: Important Topic Red Hat JBoss Core Services Pack Apache Server 2429 packages for Microsoft Windows and Oracle Solaris are now availableRed Hat Product Security has rated this release ...
Red Hat: Moderate: httpd24 security, bug fix, and enhancement update
Synopsis Moderate: httpd24 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for httpd24-httpd, httpd24-nghttp2, and httpd24-curl is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of ...
Debian CVElist Bug Report Logs: curl: CVE-2017-1000254: FTP PWD response parser out of bounds read
Debian Bug report logs - #877671 curl: CVE-2017-1000254: FTP PWD response parser out of bounds read Package: src:curl; Maintainer for src:curl is Alessandro Ghedini <ghedo@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 4 Oct 2017 06:21:02 UTC Severity: serious Tags: fixed-upstream, pat ...
Debian Security Advisories: DSA-3992-1 curl -- security update
Several vulnerabilities have been discovered in cURL, an URL transfer library The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2017-1000100 Even Rouault reported that cURL does not properly handle long file names when doing an TFTP upload A malicious HTTP(S) server can take advantage of this fla ...
Ubuntu Security Notice: curl vulnerabilities
Several security issues were fixed in curl ...
Ubuntu Security Notice: curl vulnerabilities
Several security issues were fixed in curl ...
Amazon Linux AMI: ALAS-2017-919
FTP PWD response parser out of bounds readlibcurl may read outside of a heap allocated buffer when doing FTP When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command The server then responds with a 257 response containing the path, inside double quotes ...
Amazon Linux 2: ALAS2-2019-1162
libcurl is vulnerable to a heap buffer out-of-bounds read The function handling incoming NTLM type-2 messages (`lib/vauth/ntlmc:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length ...
Red Hat: CVE-2017-1000254
libcurl may read outside of a heap allocated buffer when doing FTP When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command The server then responds with a 257 response containing the path, inside double quotes The returned path name is then kept by li ...
Arch Linux Issues:
When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command The server then responds with a 257 response containing the path, inside double quotes The returned path name is then kept by libcurl for subsequent uses Due to a flaw in the string parser for th ...

Github Repositories

https://github.com/tencentbladeteam/Exploit-Amazon-Echo

Shellcode, reports of Amazon Echo, which we have presented on Defcon26

[DEF CON 26] Breaking Smart Speaker - Exploit Amazon Echo Shellcode, reports of Amazon Echo, which we have presented on Defcon26 These vulnerabilities have been fixed by amazon, so you need to test on devices with firmware version number equal to or less than 608490720 This repository contains RCE exploit codes for the Amazon Echo devices These exploits are based on the libc

References

CWE-119https://curl.haxx.se/673d0cd8.patchhttp://www.securitytracker.com/id/1039509http://www.securityfocus.com/bid/101115https://curl.haxx.se/docs/adv_20171004.htmlhttp://www.debian.org/security/2017/dsa-3992https://security.gentoo.org/glsa/201712-04https://support.apple.com/HT208331https://access.redhat.com/errata/RHSA-2018:2486https://access.redhat.com/errata/RHSA-2018:3558https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3Ehttps://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3Ehttps://access.redhat.com/errata/RHSA-2018:2486https://nvd.nist.govhttps://usn.ubuntu.com/3441-2/https://www.debian.org/security/./dsa-3992
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4040privilege escalationCVE-2024-4112CVE-2024-32872man-in-the-middleCVE-2024-32788bypassCVE-2024-3400CVE-2024-28976
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook