ID CVE-2012-0036
Summary curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.
References
Vulnerable Configurations
  • cpe:2.3:a:curl:curl:7.20.0
    cpe:2.3:a:curl:curl:7.20.0
  • cpe:2.3:a:curl:curl:7.20.1
    cpe:2.3:a:curl:curl:7.20.1
  • cpe:2.3:a:curl:curl:7.21.0
    cpe:2.3:a:curl:curl:7.21.0
  • cpe:2.3:a:curl:curl:7.21.1
    cpe:2.3:a:curl:curl:7.21.1
  • cpe:2.3:a:curl:curl:7.21.2
    cpe:2.3:a:curl:curl:7.21.2
  • cpe:2.3:a:curl:curl:7.21.3
    cpe:2.3:a:curl:curl:7.21.3
  • cpe:2.3:a:curl:curl:7.21.4
    cpe:2.3:a:curl:curl:7.21.4
  • cpe:2.3:a:curl:curl:7.21.5
    cpe:2.3:a:curl:curl:7.21.5
  • cpe:2.3:a:curl:curl:7.21.6
    cpe:2.3:a:curl:curl:7.21.6
  • cpe:2.3:a:curl:curl:7.21.7
    cpe:2.3:a:curl:curl:7.21.7
  • cpe:2.3:a:curl:curl:7.22.0
    cpe:2.3:a:curl:curl:7.22.0
  • cpe:2.3:a:curl:curl:7.23.0
    cpe:2.3:a:curl:curl:7.23.0
  • cpe:2.3:a:curl:curl:7.23.1
    cpe:2.3:a:curl:curl:7.23.1
  • cpe:2.3:a:curl:libcurl:7.20.0
    cpe:2.3:a:curl:libcurl:7.20.0
  • cpe:2.3:a:curl:libcurl:7.20.1
    cpe:2.3:a:curl:libcurl:7.20.1
  • cpe:2.3:a:curl:libcurl:7.21.0
    cpe:2.3:a:curl:libcurl:7.21.0
  • cpe:2.3:a:curl:libcurl:7.21.1
    cpe:2.3:a:curl:libcurl:7.21.1
  • cpe:2.3:a:curl:libcurl:7.21.2
    cpe:2.3:a:curl:libcurl:7.21.2
  • cpe:2.3:a:curl:libcurl:7.21.3
    cpe:2.3:a:curl:libcurl:7.21.3
  • cpe:2.3:a:curl:libcurl:7.21.4
    cpe:2.3:a:curl:libcurl:7.21.4
  • cpe:2.3:a:curl:libcurl:7.21.5
    cpe:2.3:a:curl:libcurl:7.21.5
  • cpe:2.3:a:curl:libcurl:7.21.6
    cpe:2.3:a:curl:libcurl:7.21.6
  • cpe:2.3:a:curl:libcurl:7.21.7
    cpe:2.3:a:curl:libcurl:7.21.7
  • cpe:2.3:a:curl:libcurl:7.22.0
    cpe:2.3:a:curl:libcurl:7.22.0
  • cpe:2.3:a:curl:libcurl:7.23.0
    cpe:2.3:a:curl:libcurl:7.23.0
  • cpe:2.3:a:curl:libcurl:7.23.1
    cpe:2.3:a:curl:libcurl:7.23.1
CVSS
Base: 7.5 (as of 12-08-2015 - 10:29)
Impact:
Exploitability:
CWE CWE-89
CAPEC
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
  • Object Relational Mapping Injection
    An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject his or her own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.
  • SQL Injection through SOAP Parameter Tampering
    An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.
  • Expanding Control over the Operating System from the Database
    An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.
  • SQL Injection
    This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. In order to successfully inject SQL and retrieve information from a database, an attacker:
  • Blind SQL Injection
    Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. The attacker can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the attacker determines how and where the target is vulnerable to SQL Injection. For example, an attacker may try entering something like "username' AND 1=1; --" in an input field. If the result is the same as when the attacker entered "username" in the field, then the attacker knows that the application is vulnerable to SQL Injection. The attacker can then ask yes/no questions from the database server to extract information from it. For example, the attacker can extract table names from a database using the following types of queries: If the above query executes properly, then the attacker knows that the first character in a table name in the database is a letter between m and z. If it doesn't, then the attacker knows that the character must be between a and l (assuming of course that table names only contain alphabetic characters). By performing a binary search on all character positions, the attacker can determine all table names in the database. Subsequently, the attacker may execute an actual attack and send something like:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_CURL-7937.NASL
    description This update to curl fixes the following security issue : - Don't set SSL_OP_ALL to avoid potential DTLS sniffing attacks. (CVE-2012-0036)
    last seen 2019-01-16
    modified 2012-05-17
    plugin id 57842
    published 2012-02-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57842
    title SuSE 10 Security Update : curl (ZYPP Patch Number 7937)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2012-058.NASL
    description Multiple vulnerabilities has been found and corrected in curl : curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL for the SSL/TLS layer. A work-around has been added to mitigate the problem (CVE-2011-3389). curl is vulnerable to a data injection attack for certain protocols through control characters embedded or percent-encoded in URLs (CVE-2012-0036). The updated packages have been patched to correct these issues.
    last seen 2019-01-16
    modified 2019-01-02
    plugin id 58759
    published 2012-04-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58759
    title Mandriva Linux Security Advisory : curl (MDVSA-2012:058)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201203-02.NASL
    description The remote host is affected by the vulnerability described in GLSA-201203-02 (cURL: Multiple vulnerabilities) Multiple vulnerabilities have been found in cURL: When zlib is enabled, the amount of data sent to an application for automatic decompression is not restricted (CVE-2010-0734). When performing GSSAPI authentication, credential delegation is always used (CVE-2011-2192). When SSL is enabled, cURL improperly disables the OpenSSL workaround to mitigate an information disclosure vulnerability in the SSL and TLS protocols (CVE-2011-3389). libcurl does not properly verify file paths for escape control characters in IMAP, POP3 or SMTP URLs (CVE-2012-0036). Impact : A remote attacker could entice a user or automated process to open a specially crafted file or URL using cURL, possibly resulting in the remote execution of arbitrary code, a Denial of Service condition, disclosure of sensitive information, or unwanted actions performed via the IMAP, POP3 or SMTP protocols. Furthermore, remote servers may be able to impersonate clients via GSSAPI requests. Workaround : There is no known workaround at this time.
    last seen 2019-01-16
    modified 2018-07-11
    plugin id 58212
    published 2012-03-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58212
    title GLSA-201203-02 : cURL: Multiple vulnerabilities (BEAST)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1346-1.NASL
    description Dan Fandrich discovered that curl incorrectly handled URLs containing embedded or percent-encoded control characters. If a user or automated system were tricked into processing a specially crafted URL, arbitrary data could be injected. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-01
    plugin id 57689
    published 2012-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57689
    title Ubuntu 10.10 / 11.04 / 11.10 : curl vulnerability (USN-1346-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-0894.NASL
    description reject URLs containing bad data (CVE-2012-0036) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-11-28
    plugin id 57719
    published 2012-01-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57719
    title Fedora 16 : curl-7.21.7-6.fc16 (2012-0894)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2398.NASL
    description Several vulnerabilities have been discovered in cURL, an URL transfer library. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2011-3389 This update enables OpenSSL workarounds against the 'BEAST' attack. Additional information can be found in the cURL advisory - CVE-2012-0036 Dan Fandrich discovered that cURL performs insufficient sanitising when extracting the file path part of an URL.
    last seen 2019-01-16
    modified 2018-12-18
    plugin id 57738
    published 2012-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57738
    title Debian DSA-2398-2 : curl - several vulnerabilities (BEAST)
  • NASL family Web Servers
    NASL id HPSMH_7_1_1_1.NASL
    description According to the web server's banner, the version of HP System Management Homepage (SMH) hosted on the remote host is earlier than 7.1.1 and is, therefore, reportedly affected by the following vulnerabilities : - The bundled version of the libxml2 library contains multiple vulnerabilities. (CVE-2011-1944, CVE-2011-2821, CVE-2011-2834) - The bundled version of PHP contains multiple vulnerabilities. (CVE-2011-3379, CVE-2011-4153, CVE-2011-4885, CVE-2012-1823, CVE-2012-0057, CVE-2012-0830) - The bundled version of the Apache HTTP Server contains multiple vulnerabilities. (CVE-2011-3607, CVE-2011-4317, CVE-2011-4415, CVE-2012-0021, CVE-2012-0031, CVE-2012-0053) - An issue exists in the 'include/iniset.php' script in the embedded RoundCube Webmail version that could lead to a denial of service. (CVE-2011-4078) - The bundled version of OpenSSL contains multiple vulnerabilities. (CVE-2011-4108, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2012-0027, CVE-2012-1165) - The bundled version of curl and libcurl does not properly consider special characters during extraction of a pathname from a URL. (CVE-2012-0036) - An off autocomplete attribute does not exist for unspecified form fields, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. (CVE-2012-2012) - An unspecified vulnerability exists that could allow a remote attacker to cause a denial of service, or possibly obtain sensitive information or modify data. (CVE-2012-2013) - An unspecified vulnerability exists related to improper input validation. (CVE-2012-2014) - An unspecified vulnerability allows remote, unauthenticated users to gain privileges and obtain sensitive information. (CVE-2012-2015) - An unspecified vulnerability allows local users to obtain sensitive information via unknown vectors. (CVE-2012-2016)
    last seen 2019-01-16
    modified 2018-11-15
    plugin id 59851
    published 2012-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59851
    title HP System Management Homepage < 7.1.1 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2012-76.NASL
    description - Fix IMAP, POP3 and SMTP URL sanitization (bnc#740452, CVE-2012-0036) - Disable SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option when built against an older OpenSSL version (CVE-2010-4180). - Don't enable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (bnc#742306, CVE-2011-3389).
    last seen 2019-01-16
    modified 2015-10-22
    plugin id 74807
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74807
    title openSUSE Security Update : curl (openSUSE-2012-76) (BEAST)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-0888.NASL
    description reject URLs containing bad data (CVE-2012-0036) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-11-28
    plugin id 57897
    published 2012-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57897
    title Fedora 15 : curl-7.21.3-13.fc15 (2012-0888)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_7_4.NASL
    description The remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.4. The newer version contains numerous security-related fixes for the following components : - Login Window - Bluetooth - curl - HFS - Kernel - libarchive - libsecurity - libxml - LoginUIFramework - PHP - Quartz Composer - QuickTime - Ruby - Security Framework - Time Machine - X11 Note that this update addresses the recent FileVault password vulnerability, in which user passwords are stored in plaintext to a system-wide debug log if the legacy version of FileVault is used to encrypt user directories after a system upgrade to Lion. Since the patch only limits further exposure, though, we recommend that all users on the system change their passwords if user folders were encrypted using the legacy version of FileVault prior to and after an upgrade to OS X 10.7.
    last seen 2019-01-16
    modified 2018-07-16
    plugin id 59066
    published 2012-05-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59066
    title Mac OS X 10.7.x < 10.7.4 Multiple Vulnerabilities (BEAST)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_4_CURL-120124.NASL
    description The following vulnerabilities have been fixed in curl : - IMAP, POP3 and SMTP URL sanitization vulnerability (CVE-2012-0036) - disable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (CVE-2011-3389) - disable SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option for older openssl versions (CVE-2010-4180)
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 75806
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75806
    title openSUSE Security Update : curl (openSUSE-SU-2012:0229-1) (BEAST)
refmap via4
apple APPLE-SA-2012-05-09-1
bid 51665
confirm
debian DSA-2398
gentoo GLSA-201203-02
hp
  • HPSBMU02786
  • SSRT100877
mandriva MDVSA-2012:058
sectrack 1032924
secunia 48256
Last major update 28-11-2016 - 14:07
Published 13-04-2012 - 16:55
Last modified 09-01-2018 - 21:29
Back to Top