CAPEC |
-
Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
-
Server Side Include (SSI) Injection
An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
-
Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
-
Cross Site Scripting through Log Files
An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
-
Command Line Execution through SQL Injection
An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
-
Object Relational Mapping Injection
An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject his or her own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.
-
SQL Injection through SOAP Parameter Tampering
An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.
-
Subverting Environment Variable Values
The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
-
Format String Injection
An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
-
LDAP Injection
An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.
-
Relative Path Traversal
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
-
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
-
Variable Manipulation
An attacker manipulates variables used by an application to perform a variety of possible attacks. This can either be performed through the manipulation of function call parameters or by manipulating external variables, such as environment variables, that are used by an application. Changing variable values is usually undertaken as part of another attack; for example, a path traversal (inserting relative path modifiers) or buffer overflow (enlarging a variable value beyond an application's ability to store it).
-
Embedding Scripts in Non-Script Elements
This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements.
As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack.
-
Flash Injection
An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.
-
Cross-Site Scripting Using Alternate Syntax
The attacker uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.
-
Exploiting Trust in Client (aka Make the Client Invisible)
An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client.
An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client.
There are numerous variations of this type of attack.
-
XML Nested Payloads
Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
-
XML Oversized Payloads
Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
-
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
-
Cross-Site Scripting via Encoded URI Schemes
An attack of this type exploits the ability of most browsers to interpret "data", "javascript" or other URI schemes as client-side executable content placeholders. This attack consists of passing a malicious URI in an anchor tag HREF attribute or any other similar attributes in other HTML tags. Such malicious URI contains, for example, a base64 encoded HTML content with an embedded cross-site scripting payload. The attack is executed when the browser interprets the malicious content i.e., for example, when the victim clicks on the malicious link.
-
XML Injection
An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.
-
Environment Variable Manipulation
An attacker manipulates environment variables used by an application to perform a variety of possible attacks. Changing variable values is usually undertaken as part of another attack; for example, a path traversal (inserting relative path modifiers) or buffer overflow (enlarging a variable value beyond an application's ability to store it).
-
Global variable manipulation
An attacker manipulates global variables used by an application to perform a variety of possible attacks. Changing variable values is usually undertaken as part of another attack; for example, a path traversal (inserting relative path modifiers) or buffer overflow (enlarging a variable value beyond an application's ability to store it).
-
Leverage Alternate Encoding
This attack leverages the possibility to encode potentially harmful input and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult.
-
Fuzzing
Fuzzing is a software testing method that feeds randomly constructed input to the system and looks for an indication that a failure in response to that input has occurred. Fuzzing treats the system as a black box and is totally free from any preconceptions or assumptions about the system.
An attacker can leverage fuzzing to try to identify weaknesses in the system. For instance fuzzing can help an attacker discover certain assumptions made in the system about user input. Fuzzing gives an attacker a quick way of potentially uncovering some of these assumptions without really knowing anything about the internals of the system. These assumptions can then be turned against the system by specially crafting user input that may allow an attacker to achieve his goals.
-
Using Leading 'Ghost' Character Sequences to Bypass Input Filters
An attacker intentionally introduces leading characters that enable getting the input past the filters. The API that is being targeted, ignores the leading "ghost" characters, and therefore processes the attackers' input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API.
Some APIs will strip certain leading characters from a string of parameters. Perhaps these characters are considered redundant, and for this reason they are removed. Another possibility is the parser logic at the beginning of analysis is specialized in some way that causes some characters to be removed. The attacker can specify multiple types of alternative encodings at the beginning of a string as a set of probes.
One commonly used possibility involves adding ghost characters--extra characters that don't affect the validity of the request at the API layer. If the attacker has access to the API libraries being targeted, certain attack ideas can be tested directly in advance. Once alternative ghost encodings emerge through testing, the attacker can move from lab-based API testing to testing real-world service implementations.
-
Accessing/Intercepting/Modifying HTTP Cookies
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems.
The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein.
The second form of this attack involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the attacker to impersonate the remote user/session.
The third form is when the cookie's content is modified by the attacker before it is sent back to the server. Here the attacker seeks to convince the target server to operate on this falsified information.
-
Embedding Scripts in HTTP Query Strings
A variant of cross-site scripting called "reflected" cross-site scripting, the HTTP Query Strings attack consists of passing a malicious script inside an otherwise valid HTTP request query string. This is of significant concern for sites that rely on dynamic, user-generated content such as bulletin boards, news sites, blogs, and web enabled administration GUIs. The malicious script may steal session data, browse history, probe files, or otherwise execute attacks on the client side. Once the attacker has prepared the malicious HTTP query it is sent to a victim user (perhaps by email, IM, or posted on an online forum), who clicks on a normal looking link that contains a poison query string. This technique can be made more effective through the use of services like http://tinyurl.com/, which makes very small URLs that will redirect to very large, complex ones. The victim will not know what he is really clicking on.
-
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
-
Exploiting Multiple Input Interpretation Layers
An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps.
The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application:
In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
-
Buffer Overflow via Symbolic Links
This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
-
Overflow Variables and Tags
This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
-
Buffer Overflow via Parameter Expansion
In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
-
Signature Spoof
An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.
-
XML Client-Side Attack
Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
-
Embedding NULL Bytes
An attacker embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s).
-
Postfix, Null Terminate, and Backslash
If a string is passed through a filter of some kind, then a terminal NULL may not be valid. Using alternate representation of NULL allows an attacker to embed the NULL mid-string while postfixing the proper data so that the filter is avoided. One example is a filter that looks for a trailing slash character. If a string insertion is possible, but the slash must exist, an alternate encoding of NULL in mid-string may be used.
-
Simple Script Injection
An attacker embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level.
An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect.
-
Using Slashes and URL Encoding Combined to Bypass Validation Logic
This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
-
SQL Injection
This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended.
SQL Injection results from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. In order to successfully inject SQL and retrieve information from a database, an attacker:
-
String Format Overflow in syslog()
This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
-
Blind SQL Injection
Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. The attacker can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the attacker determines how and where the target is vulnerable to SQL Injection.
For example, an attacker may try entering something like "username' AND 1=1; --" in an input field. If the result is the same as when the attacker entered "username" in the field, then the attacker knows that the application is vulnerable to SQL Injection. The attacker can then ask yes/no questions from the database server to extract information from it. For example, the attacker can extract table names from a database using the following types of queries:
If the above query executes properly, then the attacker knows that the first character in a table name in the database is a letter between m and z. If it doesn't, then the attacker knows that the character must be between a and l (assuming of course that table names only contain alphabetic characters). By performing a binary search on all character positions, the attacker can determine all table names in the database. Subsequently, the attacker may execute an actual attack and send something like:
-
Using Unicode Encoding to Bypass Validation Logic
An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.
-
URL Encoding
This attack targets the encoding of the URL. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc. The attacker could also subvert the meaning of the URL string request by encoding the data being sent to the server through a GET request. For instance an attacker may subvert the meaning of parameters used in a SQL request and sent through the URL string (See Example section).
-
User-Controlled Filename
An attack of this type involves an attacker inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
-
Using Escaped Slashes in Alternate Encoding
This attack targets the use of the backslash in alternate encoding. An attacker can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the attacker tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.
-
Using Slashes in Alternate Encoding
This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
-
Buffer Overflow in an API Call
This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
-
Using UTF-8 Encoding to Bypass Validation Logic
This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the "shortest possible" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters.
-
Web Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
-
XPath Injection
An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that he normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database. In order to successfully inject XML and retrieve information from a database, an attacker:
-
AJAX Fingerprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. In many XSS attacks the attacker must get a "hole in one" and successfully exploit the vulnerability on the victim side the first time, once the client is redirected the attacker has many chances to engage in follow on probes, but there is only one first chance. In a widely used web application this is not a major problem because 1 in a 1,000 is good enough in a widely used application.
A common first step for an attacker is to footprint the environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on.
-
Embedding Script (XSS) in HTTP Headers
An attack of this type exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications.
-
OS Command Injection
In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
-
Buffer Overflow in Local Command-Line Utilities
This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
-
XSS in IMG Tags
Image tags are an often overlooked, but convenient, means for a Cross Site Scripting attack. The attacker can inject script contents into an image (IMG) tag in order to steal information from a victim's browser and execute malicious scripts.
-
XML Parser Attack
Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]
|
nessus
via4
|
NASL family | SuSE Local Security Checks | NASL id | OPENSUSE-2016-1280.NASL | description | This update for curl fixes the following security issues :
- CVE-2016-8624: invalid URL parsing with '#'
(bsc#1005646)
- CVE-2016-8623: Use-after-free via shared cookies
(bsc#1005645)
- CVE-2016-8622: URL unescape heap overflow via integer
truncation (bsc#1005643)
- CVE-2016-8621: curl_getdate read out of bounds
(bsc#1005642)
- CVE-2016-8620: glob parser write/read out of bounds
(bsc#1005640)
- CVE-2016-8619: double-free in krb5 code (bsc#1005638)
- CVE-2016-8618: double-free in curl_maprintf
(bsc#1005637)
- CVE-2016-8617: OOB write via unchecked multiplication
(bsc#1005635)
- CVE-2016-8616: case insensitive password comparison
(bsc#1005634)
- CVE-2016-8615: cookie injection for other servers
(bsc#1005633)
- CVE-2016-7167: escape and unescape integer overflows
(bsc#998760)
This update was imported from the SUSE:SLE-12:Update update project. | last seen | 2019-01-16 | modified | 2016-11-14 | plugin id | 94752 | published | 2016-11-14 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94752 | title | openSUSE Security Update : curl (openSUSE-2016-1280) |
NASL family | Huawei Local Security Checks | NASL id | EULEROS_SA-2017-1035.NASL | description | According to the versions of the curl packages installed, the EulerOS
installation on the remote host is affected by the following
vulnerabilities :
- Multiple integer overflows in the (1) curl_escape, (2)
curl_easy_escape, (3) curl_unescape, and (4)
curl_easy_unescape functions in libcurl before 7.50.3
allow attackers to have unspecified impact via a string
of length 0xffffffff, which triggers a heap-based
buffer overflow.(CVE-2016-7167)
- ** RESERVED ** This candidate has been reserved by an
organization or individual that will use it when
announcing a new security problem. When the candidate
has been publicized, the details for this candidate
will be
provided.(CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE
-2016-8618,CVE-2016-8619,CVE-2016-8621,CVE-2016-8622,CV
E-2016-8623,CVE-2016-8624)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-14 | plugin id | 99880 | published | 2017-05-01 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=99880 | title | EulerOS 2.0 SP2 : curl (EulerOS-SA-2017-1035) |
NASL family | Fedora Local Security Checks | NASL id | FEDORA_2016-E8E8CDB4ED.NASL | description | - fix cookie injection for other servers (CVE-2016-8615)
- compare user/passwd case-sensitively while reusing
connections (CVE-2016-8616)
- base64: check for integer overflow on large input
(CVE-2016-8617)
- fix double-free in krb5 code (CVE-2016-8619)
- fix double-free in curl_maprintf() (CVE-2016-8618)
- fix glob parser write/read out of bounds (CVE-2016-8620)
- fix out-of-bounds read in curl_getdate() (CVE-2016-8621)
- fix URL unescape heap overflow via integer truncation
(CVE-2016-8622)
- fix use-after-free via shared cookies (CVE-2016-8623)
- urlparse: accept '#' as end of host name (CVE-2016-8624)
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-10-01 | plugin id | 94592 | published | 2016-11-07 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94592 | title | Fedora 24 : curl (2016-e8e8cdb4ed) |
NASL family | Slackware Local Security Checks | NASL id | SLACKWARE_SSA_2016-308-01.NASL | description | New curl packages are available for Slackware 13.0, 13.1, 13.37,
14.0, 14.1, 14.2, and -current to fix security issues. | last seen | 2019-01-16 | modified | 2018-10-01 | plugin id | 94516 | published | 2016-11-04 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94516 | title | Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : curl (SSA:2016-308-01) |
NASL family | Debian Local Security Checks | NASL id | DEBIAN_DLA-711.NASL | description | CVE-2016-8615 If cookie state is written into a cookie jar file that
is later read back and used for subsequent requests, a malicious HTTP
server can inject new cookies for arbitrary domains into said cookie
jar. The issue pertains to the function that loads cookies into
memory, which reads the specified file into a fixed-size buffer in a
line-by-line manner using the `fgets()` function. If an invocation of
fgets() cannot read the whole line into the destination buffer due to
it being too small, it truncates the output. This way, a very long
cookie (name + value) sent by a malicious server would be stored in
the file and subsequently that cookie could be read partially and
crafted correctly, it could be treated as a different cookie for
another server.
CVE-2016-8616 When re-using a connection, curl was doing case
insensitive comparisons of user name and password with the existing
connections. This means that if an unused connection with proper
credentials exists for a protocol that has connection-scoped
credentials, an attacker can cause that connection to be reused if
s/he knows the case-insensitive version of the correct password.
CVE-2016-8617 In libcurl's base64 encode function, the output buffer
is allocated as follows without any checks on insize: malloc( insize *
4 / 3 + 4 ) On systems with 32-bit addresses in userspace (e.g. x86,
ARM, x32), the multiplication in the expression wraps around if insize
is at least 1GB of data. If this happens, an undersized output buffer
will be allocated, but the full result will be written, thus causing
the memory behind the output buffer to be overwritten. Systems with 64
bit versions of the `size_t` type are not affected by this issue.
CVE-2016-8618 The libcurl API function called `curl_maprintf()` can be
tricked into doing a double-free due to an unsafe `size_t`
multiplication, on systems using 32 bit `size_t` variables. The
function is also used internallty in numerous situations. Systems with
64 bit versions of the `size_t` type are not affected by this issue.
CVE-2016-8619 In curl's implementation of the Kerberos authentication
mechanism, the function `read_data()` in security.c is used to fill
the necessary krb5 structures. When reading one of the length fields
from the socket, it fails to ensure that the length parameter passed
to realloc() is not set to 0.
CVE-2016-8621 The `curl_getdate` converts a given date string into a
numerical timestamp and it supports a range of different formats and
possibilites to express a date and time. The underlying date parsing
function is also used internally when parsing for example HTTP cookies
(possibly received from remote servers) and it can be used when doing
conditional HTTP requests.
CVE-2016-8622 The URL percent-encoding decode function in libcurl is
called `curl_easy_unescape`. Internally, even if this function would
be made to allocate a unscape destination buffer larger than 2GB, it
would return that new length in a signed 32 bit integer variable, thus
the length would get either just truncated or both truncated and
turned negative. That could then lead to libcurl writing outside of
its heap based buffer.
CVE-2016-8623 libcurl explicitly allows users to share cookies between
multiple easy handles that are concurrently employed by different
threads. When cookies to be sent to a server are collected, the
matching function collects all cookies to send and the cookie lock is
released immediately afterwards. That funcion however only returns a
list with
*references* back to the original strings for name, value, path and so
on. Therefore, if another thread quickly takes the lock and frees one
of the original cookie structs together with its strings, a
use-after-free can occur and lead to information disclosure. Another
thread can also replace the contents of the cookies from separate HTTP
responses or API calls.
CVE-2016-8624 curl doesn't parse the authority component of the URL
correctly when the host name part ends with a '#' character, and could
instead be tricked into connecting to a different host. This may have
security implications if you for example use an URL parser that
follows the RFC to check for allowed domains before using curl to
request them.
For Debian 7 'Wheezy', these problems have been fixed in version
7.26.0-1+wheezy17.
We recommend that you upgrade your curl packages.
NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues. | last seen | 2019-01-16 | modified | 2018-10-10 | plugin id | 94941 | published | 2016-11-18 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94941 | title | Debian DLA-711-1 : curl security update |
NASL family | SuSE Local Security Checks | NASL id | SUSE_SU-2016-2714-1.NASL | description | This update for curl fixes the following security issues :
- CVE-2016-8624: invalid URL parsing with '#'
(bsc#1005646)
- CVE-2016-8623: Use-after-free via shared cookies
(bsc#1005645)
- CVE-2016-8621: curl_getdate read out of bounds
(bsc#1005642)
- CVE-2016-8619: double-free in krb5 code (bsc#1005638)
- CVE-2016-8618: double-free in curl_maprintf
(bsc#1005637)
- CVE-2016-8617: OOB write via unchecked multiplication
(bsc#1005635)
- CVE-2016-8616: case insensitive password comparison
(bsc#1005634)
- CVE-2016-8615: cookie injection for other servers
(bsc#1005633)
- CVE-2016-7167: escape and unescape integer overflows
(bsc#998760)
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-29 | plugin id | 94572 | published | 2016-11-04 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94572 | title | SUSE SLES11 Security Update : curl (SUSE-SU-2016:2714-1) |
NASL family | Debian Local Security Checks | NASL id | DEBIAN_DSA-3705.NASL | description | Several vulnerabilities were discovered in cURL, an URL transfer
library :
- CVE-2016-8615
It was discovered that a malicious HTTP server could
inject new cookies for arbitrary domains into a cookie
jar.
- CVE-2016-8616
It was discovered that when re-using a connection, curl
was doing case insensitive comparisons of user name and
password with the existing connections.
- CVE-2016-8617
It was discovered that on systems with 32-bit addresses
in userspace (e.g. x86, ARM, x32), the output buffer
size value calculated in the base64 encode function
would wrap around if input size was at least 1GB of
data, causing an undersized output buffer to be
allocated.
- CVE-2016-8618
It was discovered that the curl_maprintf() function
could be tricked into doing a double-free due to an
unsafe size_t multiplication on systems using 32 bit
size_t variables.
- CVE-2016-8619
It was discovered that the Kerberos implementation could
be tricked into doing a double-free when reading one of
the length fields from a socket.
- CVE-2016-8620
It was discovered that the curl tool's 'globbing'
feature could write to invalid memory areas when parsing
invalid ranges.
- CVE-2016-8621
It was discovered that the function curl_getdate could
read out of bounds when parsing invalid date strings.
- CVE-2016-8622
It was discovered that the URL percent-encoding decode
function would return a signed 32bit integer variable as
length, even though it allocated a destination buffer
larger than 2GB, which would lead to a out-of-bounds
write.
- CVE-2016-8623
It was discovered that libcurl could access an
already-freed memory area due to concurrent access to
shared cookies. This could lead to a denial of service
or disclosure of sensitive information.
- CVE-2016-8624
It was discovered that curl wouldn't parse the authority
component of a URL correctly when the host name part
ends with a '#' character, and could be tricked into
connecting to a different host. | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 94588 | published | 2016-11-07 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94588 | title | Debian DSA-3705-1 : curl - security update |
NASL family | Misc. | NASL id | ORACLE_SECURE_GLOBAL_DESKTOP_APR_2017_CPU.NASL | description | The version of Oracle Secure Global Desktop installed on the remote
host is 4.71, 5.2, or 5.3 and is missing a security patch from the
April 2017 Critical Patch Update (CPU). It is, therefore, affected by
multiple vulnerabilities :
- An integer overflow condition exists in the Window System
(X11) subcomponent in multiple functions in X.Org libExt
due to improper validation of user-supplied input when
calculating the amount of memory required to handle
return data. An unauthenticated, remote attacker can
exploit this to cause a denial of service condition or
the execution of arbitrary code. Note that this issue
only affects version 4.71. (CVE-2013-1982)
- An integer overflow condition exists in X.Org libXfixes
in the XFixesGetCursorImage() function when handling
large cursor dimensions or name lengths due to improper
validation of user-supplied input. An unauthenticated,
remote attacker can exploit this to cause a denial of
service condition or the execution of arbitrary code.
(CVE-2013-1983)
- An integer overflow condition exists within multiple
functions in X.Org libXi due to improper validation of
user-supplied input when calculating the amount of
memory needed to handle return data. An unauthenticated,
remote attacker can exploit this to cause a denial of
service condition or the execution of arbitrary code.
(CVE-2013-1984)
- An integer overflow condition exists in X.Org
libXinerama in the XineramaQueryScreens() function due
to improper validation of user-supplied input when
calculating the amount of memory needed to handle return
data. An unauthenticated, remote attacker can exploit
this to cause a denial of service condition or the
execution of arbitrary code. (CVE-2013-1985)
- An integer overflow condition exists in multiple
functions in X.Org libXrandr due to improper validation
of user-supplied input when calculating the amount of
memory needed to handle return data. An unauthenticated,
remote attacker can exploit this to cause a denial of
service condition or the execution of arbitrary code.
(CVE-2013-1986)
- An integer overflow condition exists in multiple
functions in X.Org libXrender due to improper validation
of user-supplied input when calculating the amount of
memory needed to handle return data. An unauthenticated,
remote attacker can exploit this to cause a denial of
service condition or the execution of arbitrary code.
(CVE-2013-1987)
- An overflow condition exists in X.Org libXi in the
XListInputDevices() function, related to an unexpected
sign extension, due to improper checking of the amount
of memory needed to handle returned data when converting
smaller integer types to larger ones. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2013-1995)
- An overflow condition exists within multiple functions
in X.Org LibXi due to improper validation of
user-supplied input. An unauthenticated, remote attacker
can exploit this, via a specially crafted length or
index, to cause a denial of service condition or the
execution of arbitrary code. (CVE-2013-1998)
- An overflow condition exists in X.Org LibXt in the
_XtResourceConfigurationEH() function due to improper
validation of user-supplied input. An unauthenticated,
remote attacker can exploit this, via a specially
crafted length or index, to cause a denial of service
condition or the execution of arbitrary code.
(CVE-2013-2002)
- An integer overflow condition exists in X.Org libXcursor
in the _XcursorFileHeaderCreate() function due to
improper validation of user-supplied input. An
unauthenticated, remote attacker can exploit this, via
a specially crafted file, to cause a denial of service
condition or the execution of arbitrary code.
(CVE-2013-2003)
- An uninitialized pointer flaw exists within multiple
functions in X.Org LibXt due to a failure to check for
proper initialization of pointers. An unauthenticated,
remote attacker can exploit this to corrupt memory,
resulting in a denial of service condition or the
possible execution of arbitrary code. (CVE-2013-2005)
- A flaw exists in the Application Server subcomponent
(Apache Tomcat) due to a failure to process passwords
when they are paired with non-existent usernames. An
authenticated, remote attacker can exploit this, via a
timing attack, to enumerate user account names.
(CVE-2016-0762)
- Multiple integer overflow conditions exist in s3_srvr.c,
ssl_sess.c, and t1_lib.c due to improper use of pointer
arithmetic for heap-buffer boundary checks. An
unauthenticated, remote attacker can exploit these to
cause a denial of service. (CVE-2016-2177)
- An information disclosure vulnerability exists in the
dsa_sign_setup() function in dsa_ossl.c due to a failure
to properly ensure the use of constant-time operations.
An unauthenticated, remote attacker can exploit this,
via a timing side-channel attack, to disclose DSA key
information. (CVE-2016-2178)
- A denial of service vulnerability exists in the DTLS
implementation due to a failure to properly restrict the
lifetime of queue entries associated with unused
out-of-order messages. An unauthenticated, remote
attacker can exploit this, by maintaining multiple
crafted DTLS sessions simultaneously, to exhaust memory.
(CVE-2016-2179)
- An out-of-bounds read error exists in the X.509 Public
Key Infrastructure Time-Stamp Protocol (TSP)
implementation. An unauthenticated, remote attacker can
exploit this, via a crafted time-stamp file that is
mishandled by the 'openssl ts' command, to cause a
denial of service or to disclose sensitive information.
(CVE-2016-2180)
- A denial of service vulnerability exists in the
Anti-Replay feature in the DTLS implementation due to
improper handling of epoch sequence numbers in records.
An unauthenticated, remote attacker can exploit this,
via spoofed DTLS records, to cause legitimate packets to
be dropped. (CVE-2016-2181)
- An overflow condition exists in the BN_bn2dec() function
in bn_print.c due to improper validation of
user-supplied input when handling BIGNUM values. An
unauthenticated, remote attacker can exploit this to
crash the process. (CVE-2016-2182)
- A vulnerability exists, known as SWEET32, in the 3DES
and Blowfish algorithms due to the use of weak 64-bit
block ciphers by default. A man-in-the-middle attacker
who has sufficient resources can exploit this
vulnerability, via a 'birthday' attack, to detect a
collision that leaks the XOR between the fixed secret
and a known plaintext, allowing the disclosure of the
secret text, such as secure HTTPS cookies, and possibly
resulting in the hijacking of an authenticated session.
(CVE-2016-2183)
- A flaw exists in the Core subcomponent, specifically in
the libcurl library, due to improper validation of TLS
certificates. An authenticated, remote attacker with the
ability to intercept network traffic can exploit this
issue to disclose or manipulate transmitted data by
spoofing the TLS/SSL server using a certificate that
appears valid. Note that this issue only affects
versions 5.2 and 5.3. (CVE-2016-3739)
- A flaw exists in cURL and libcurl when loading dynamic
link library (DLL) files security.dll, secur32.dll, or
ws2_32.dll due searching an insecure path which may not
be trusted or under user control. A local attacker can
exploit this, via a Trojan DLL file placed in the search
path, to execute arbitrary code with the privileges of
the user running the program. (CVE-2016-4802)
- A security bypass vulnerability exists in Apache Tomcat
due to an unspecified flaw related to web applications.
A local attacker can exploit this, via a utility method
that is available to web applications, to bypass a
configured SecurityManager. (CVE-2016-5018)
- An out-of-bounds access error exists in the Window
System (X11) subcomponent, specifically in the
XvQueryAdaptors() function in file Xv.c, when handling
server responses. An authenticated, remote attacker can
exploit this to impact confidentiality, integrity, and
availability. (CVE-2016-5407)
- A use-after-free error exists in cURL and libcurl within
file lib/vtls/vtls.c due to the program attempting to
resume TLS sessions even if the client certificate
fails. An unauthenticated, remote attacker can exploit
this to bypass validation mechanisms, allowing the
attacker to possibly control which connection is used.
(CVE-2016-5419)
- A flaw exists in cURL and libcurl in the
Curl_ssl_config_matches() function within file
lib/vtls/vtls.c due to the program reusing TLS
connections with different client certificates. An
unauthenticated, remote attacker can exploit this to
disclose sensitive cross-realm information.
(CVE-2016-5420)
- A use-after-free error exists in cURL and libcurl in
in the close_all_connections() function within file
lib/multi.c due to connection pointers not being
properly cleared. An unauthenticated, remote attacker
can exploit this to have an unspecified impact on
confidentiality, integrity, and availability.
(CVE-2016-5421)
- A flaw exists in the tls_decrypt_ticket() function
in t1_lib.c due to improper handling of ticket HMAC
digests. An unauthenticated, remote attacker can exploit
this, via a ticket that is too short, to crash the
process, resulting in a denial of service.
(CVE-2016-6302)
- An integer overflow condition exists in the
MDC2_Update() function in mdc2dgst.c due to improper
validation of user-supplied input. An unauthenticated,
remote attacker can exploit this to cause a heap-based
buffer overflow, resulting in a denial of service
condition or possibly the execution of arbitrary code.
(CVE-2016-6303)
- A flaw exists in the ssl_parse_clienthello_tlsext()
function in t1_lib.c due to improper handling of overly
large OCSP Status Request extensions from clients. An
unauthenticated, remote attacker can exploit this, via
large OCSP Status Request extensions, to exhaust memory
resources, resulting in a denial of service condition.
(CVE-2016-6304)
- A flaw exists in the SSL_peek() function in
rec_layer_s3.c due to improper handling of empty
records. An unauthenticated, remote attacker can exploit
this, by triggering a zero-length record in an SSL_peek
call, to cause an infinite loop, resulting in a denial
of service condition. (CVE-2016-6305)
- An out-of-bounds read error exists in the certificate
parser that allows an unauthenticated, remote attacker
to cause a denial of service via crafted certificate
operations. (CVE-2016-6306)
- A denial of service vulnerability exists in the
state-machine implementation due to a failure to check
for an excessive length before allocating memory. An
unauthenticated, remote attacker can exploit this, via a
crafted TLS message, to exhaust memory resources.
(CVE-2016-6307)
- A denial of service vulnerability exists in the DTLS
implementation due to improper handling of excessively
long DTLS messages. An unauthenticated, remote attacker
can exploit this, via a crafted DTLS message, to exhaust
available memory resources. (CVE-2016-6308)
- A flaw exists in Apache Tomcat within SecurityManager
due to improper restriction of access to system
properties by the configuration files system property
replacement feature. A local attacker can exploit this,
via a crafted web application, to bypass SecurityManager
restrictions and disclose system properties.
(CVE-2016-6794)
- A flaw exists in Apache Tomcat that allows a local
attacker to bypass a configured SecurityManager by
changing the configuration parameters for the JSP
Servlet. (CVE-2016-6796)
- A flaw exists in Apache Tomcat due to a failure to limit
web application access to global JNDI resources. A local
attacker can exploit this to gain unauthorized access to
resources. (CVE-2016-6797)
- A flaw exists in Apache Tomcat when handling request
lines containing certain invalid characters. An
unauthenticated, remote attacker can exploit this to
conduct HTTP response splitting attacks by injecting
additional headers into responses. (CVE-2016-6816)
- An infinite loop condition exists in Apache Tomcat in
the HTTP/2 parser when handling overly large headers. An
unauthenticated, remote attacker can exploit this, via a
specially crafted request, to cause a denial of service
condition. (CVE-2016-6817)
- A carry propagation error exists in the
Broadwell-specific Montgomery multiplication procedure
when handling input lengths divisible by but longer than
256 bits. This can result in transient authentication
and key negotiation failures or reproducible erroneous
outcomes of public-key operations with specially crafted
input. A man-in-the-middle attacker can possibly exploit
this issue to compromise ECDH key negotiations that
utilize Brainpool P-512 curves. (CVE-2016-7055)
- A flaw exists in cURL in the Curl_cookie_init() function
within file lib/cookie.c when handling cookies. An
unauthenticated, remote attacker can exploit this to
inject new cookies for arbitrary domains.
(CVE-2016-8615)
- A flaw exists in cURL in the ConnectionExists() function
within file lib/url.c when checking credentials supplied
for reused connections due to the comparison being
case-insensitive. An unauthenticated, remote attacker
can exploit this to authenticate without knowing the
proper case of the username and password.
(CVE-2016-8616)
- An integer overflow condition exists in cURL in the
base64_encode() function within file lib/base64.c due to
improper validation of certain input. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2016-8617)
- A denial of service vulnerability exists in cURL in the
alloc_addbyter() function within file lib/mprintf.c due
to improper validation of overly long input when it is
supplied to the curl_maprintf() API method. An
unauthenticated, remote attacker can exploit this to
free already freed memory and thereby crash the program.
(CVE-2016-8618)
- A double-free error exists in cURL in the read_data()
function within file lib/security.c when handling
Kerberos authentication. An unauthenticated, remote
attacker can exploit this to free already freed memory,
resulting in an unspecified impact on confidentiality,
integrity, and availability. (CVE-2016-8619)
- An out-of-bounds access error exists in cURL in file
tool_urlglob.c within the globbing feature. An
unauthenticated, remote attacker can exploit this to
disclose memory contents or execute arbitrary code.
(CVE-2016-8620)
- An out-of-bounds error exists in cURL in the parsedate()
function within file lib/parsedate.c when handling
dates. An unauthenticated, remote attacker can exploit
this to disclose memory contents or cause a denial of
service condition. (CVE-2016-8621)
- An integer truncation error exists in cURL in the
curl_easy_unescape() function within file lib/escape.c
when handling overly large URLs. An unauthenticated,
remote attacker can exploit this to cause a denial of
service condition or the execution of arbitrary code.
(CVE-2016-8622)
- A use-after-free error exists in cURL within file
lib/cookie.c when handling shared cookies. An
unauthenticated, remote attacker can exploit this to
disclose memory contents. (CVE-2016-8623)
- A flaw exists in cURL in the parseurlandfillconn()
function within file lib/url.c when parsing the
authority component of a URL with the host name part
ending in a '#' character. An unauthenticated, remote
attacker can exploit this to establish a connection to
a different host than intended. (CVE-2016-8624)
- A flaw exists in cURL within International Domain Names
(IDNA) handling when translating domain names to puny
code for DNS resolving due to using the outdated IDNA
2003 standard instead of the IDNA 2008 standard, which
can result in incorrect translation of a domain name.
An unauthenticated, remote attacker can exploit this to
cause network traffic to be redirected to a different
host than intended. (CVE-2016-8625)
- A flaw exists in Apache Tomcat within the
catalina/mbeans/JmxRemoteLifecycleListener.java class
that is triggered during the deserialization of Java
objects. An unauthenticated, remote attacker can exploit
this to execute arbitrary code. (CVE-2016-8735)
- A flaw exists in the Web Server component (Apache HTTP
Server) when handling whitespace patterns in User-Agent
headers. An authenticated, remote attacker can exploit
this, via a specially crafted User-Agent header, to
cause incorrect processing of sequences of requests,
resulting in incorrectly interpreting responses,
polluting the cache, or disclosing content from one
request to a second downstream user-agent.
(CVE-2016-8743)
- A NULL pointer dereference flaw exists within file
ssl/statem/statem_clnt.c when handling parameters for
the DHE or ECDHE key exchanges. An unauthenticated,
remote attacker can exploit this, via specially crafted
parameters, to cause a denial of service condition.
(CVE-2017-3730)
- A out-of-bounds read error exists exists in the Core
subcomponent, specifically in OpenSSL, when handling
packets using the CHACHA20/POLY1305 or RC4-MD5 ciphers.
An unauthenticated, remote attacker can exploit this,
via specially crafted truncated packets, to cause a
denial of service condition. (CVE-2017-3731)
- A carry propagating error exists in the x86_64
Montgomery squaring implementation that may cause the
BN_mod_exp() function to produce incorrect results. An
unauthenticated, remote attacker with sufficient
resources can exploit this to obtain sensitive
information regarding private keys. Note that this issue
is very similar to CVE-2015-3193. Moreover, the attacker
would additionally need online access to an unpatched
system using the target private key in a scenario with
persistent DH parameters and a private key that is
shared between multiple clients. For example, this can
occur by default in OpenSSL DHE based SSL/TLS cipher
suites. (CVE-2017-3732)
Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number. | last seen | 2019-01-16 | modified | 2018-07-18 | plugin id | 99930 | published | 2017-05-02 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=99930 | title | Oracle Secure Global Desktop Multiple Vulnerabilities (April 2017 CPU) (SWEET32) |
NASL family | Amazon Linux Local Security Checks | NASL id | ALA_ALAS-2016-766.NASL | description | This build resolves the following issues :
CVE-2016-8615 : Cookie injection for other servers
CVE-2016-8616 : Case insensitive password comparison
CVE-2016-8617 : Out-of-bounds write via unchecked multiplication
CVE-2016-8618 : Double-free in curl_maprintf
CVE-2016-8619 : Double-free in krb5 code
CVE-2016-8620 : Glob parser write/read out of bounds
CVE-2016-8621 : curl_getdate out-of-bounds read
CVE-2016-8622 : URL unescape heap overflow via integer truncation
CVE-2016-8623 : Use-after-free via shared cookies
CVE-2016-8624 : Invalid URL parsing with '#' | last seen | 2018-10-02 | modified | 2018-10-01 | plugin id | 94686 | published | 2016-11-11 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94686 | title | Amazon Linux AMI : curl (ALAS-2016-766) |
NASL family | Gentoo Local Security Checks | NASL id | GENTOO_GLSA-201701-47.NASL | description | The remote host is affected by the vulnerability described in GLSA-201701-47
(cURL: Multiple vulnerabilities)
Multiple vulnerabilities have been discovered in cURL. Please review the
CVE identifiers and bug reports referenced for details.
Impact :
Remote attackers could conduct a Man-in-the-Middle attack to obtain
sensitive information, cause a Denial of Service condition, or execute
arbitrary code.
Workaround :
There is no known workaround at this time. | last seen | 2019-01-16 | modified | 2017-01-20 | plugin id | 96644 | published | 2017-01-20 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=96644 | title | GLSA-201701-47 : cURL: Multiple vulnerabilities |
NASL family | FreeBSD Local Security Checks | NASL id | FREEBSD_PKG_765FEB7DA0D111E6A881B499BAEBFEAF.NASL | description | The cURL project reports
- cookie injection for other servers
- case insensitive password comparison
- OOB write via unchecked multiplication
- double-free in curl_maprintf
- double-free in krb5 code
- glob parser write/read out of bounds
- curl_getdate read out of bounds
- URL unescape heap overflow via integer truncation
- Use-after-free via shared cookies
- invalid URL parsing with '#'
- IDNA 2003 makes curl use wrong host | last seen | 2018-11-13 | modified | 2018-11-10 | plugin id | 94493 | published | 2016-11-03 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94493 | title | FreeBSD : cURL -- multiple vulnerabilities (765feb7d-a0d1-11e6-a881-b499baebfeaf) |
NASL family | MacOS X Local Security Checks | NASL id | MACOS_10_12_2.NASL | description | The remote host is running a version of macOS that is 10.12.x prior to
10.12.2. It is, therefore, affected by multiple vulnerabilities in the
following components :
- apache_mod_php
- AppleGraphicsPowerManagement
- Assets
- Audio
- Bluetooth
- CoreCapture
- CoreFoundation
- CoreGraphics
- CoreMedia External Displays
- CoreMedia Playback
- CoreStorage
- CoreText
- curl
- Directory Services
- Disk Images
- FontParser
- Foundation
- Grapher
- ICU
- ImageIO
- Intel Graphics Driver
- IOFireWireFamily
- IOAcceleratorFamily
- IOHIDFamily
- IOKit
- IOSurface
- Kernel
- kext tools
- libarchive
- LibreSSL
- OpenLDAP
- OpenPAM
- OpenSSL
- Power Management
- Security
- syslog
- WiFi
- xar
Note that successful exploitation of the most serious issues can
result in arbitrary code execution.
Furthermore, CVE-2016-6304, CVE-2016-7596, and CVE-2016-7604 also
affect Mac OS X versions 10.10.5 and 10.11.6. However, this plugin
does not check those versions. | last seen | 2019-01-16 | modified | 2018-07-14 | plugin id | 95917 | published | 2016-12-16 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=95917 | title | macOS 10.12.x < 10.12.2 Multiple Vulnerabilities |
NASL family | Ubuntu Local Security Checks | NASL id | UBUNTU_USN-3123-1.NASL | description | It was discovered that curl incorrectly reused client certificates
when built with NSS. A remote attacker could possibly use this issue
to hijack the authentication of a TLS connection. (CVE-2016-7141)
Nguyen Vu Hoang discovered that curl incorrectly handled escaping
certain strings. A remote attacker could possibly use this issue to
cause curl to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2016-7167)
It was discovered that curl incorrectly handled storing cookies. A
remote attacker could possibly use this issue to inject cookies for
arbitrary domains in the cookie jar. (CVE-2016-8615)
It was discovered that curl incorrect handled case when comparing user
names and passwords. A remote attacker with knowledge of a
case-insensitive version of the correct password could possibly use
this issue to cause a connection to be reused. (CVE-2016-8616)
It was discovered that curl incorrect handled memory when encoding to
base64. A remote attacker could possibly use this issue to cause curl
to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2016-8617)
It was discovered that curl incorrect handled memory when preparing
formatted output. A remote attacker could possibly use this issue to
cause curl to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2016-8618)
It was discovered that curl incorrect handled memory when performing
Kerberos authentication. A remote attacker could possibly use this
issue to cause curl to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2016-8619)
Luat Nguyen discovered that curl incorrectly handled parsing
globs. A remote attacker could possibly use this issue to cause curl
to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu
16.04 LTS and Ubuntu 16.10. (CVE-2016-8620)
Luat Nguyen discovered that curl incorrectly handled converting
dates. A remote attacker could possibly use this issue to cause curl
to crash, resulting in a denial of service. (CVE-2016-8621)
It was discovered that curl incorrectly handled URL percent-encoding
decoding. A remote attacker could possibly use this issue to cause
curl to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2016-8622)
It was discovered that curl incorrectly handled shared cookies. A
remote server could possibly obtain incorrect cookies or other
sensitive information. (CVE-2016-8623)
Fernando Munoz discovered that curl incorrect parsed certain URLs. A
remote attacker could possibly use this issue to trick curl into
connecting to a different host. (CVE-2016-8624).
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-12-01 | plugin id | 94574 | published | 2016-11-04 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94574 | title | Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : curl vulnerabilities (USN-3123-1) |
NASL family | F5 Networks Local Security Checks | NASL id | F5_BIGIP_SOL85235351.NASL | description | curl before version 7.51.0 doesn't parse the authority component of
the URL correctly when the host name part ends with a '#' character,
and could instead be tricked into connecting to a different host. This
may have security implications if you for example use an URL parser
that follows the RFC to check for allowed domains before using curl to
request them.(CVE-2016-8624)
Impact
When a domain nameends with a number sign (#), cURL does not parse the
authority component of the URL correctly and can be tricked into
connecting to a different host. For example :
http://f5.com#@example.com/x.txt
To exploit this vulnerability, cURL must parse a malformed URL. The
BIG-IP system uses cURL/libcurl for IMAP, FTP, POP3, SMTP, Windows
WMI, RealServer, and custom external monitors that incorporate cURL.
On the BIG-IP system, access to the cURL utility is restricted to
locally authenticated users. | last seen | 2019-01-16 | modified | 2019-01-04 | plugin id | 105445 | published | 2017-12-26 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=105445 | title | F5 Networks BIG-IP : cURL and libcurl vulnerability (K85235351) |
NASL family | SuSE Local Security Checks | NASL id | SUSE_SU-2016-2699-1.NASL | description | This update for curl fixes the following security issues :
- CVE-2016-8624: invalid URL parsing with '#'
(bsc#1005646)
- CVE-2016-8623: Use-after-free via shared cookies
(bsc#1005645)
- CVE-2016-8622: URL unescape heap overflow via integer
truncation (bsc#1005643)
- CVE-2016-8621: curl_getdate read out of bounds
(bsc#1005642)
- CVE-2016-8620: glob parser write/read out of bounds
(bsc#1005640)
- CVE-2016-8619: double-free in krb5 code (bsc#1005638)
- CVE-2016-8618: double-free in curl_maprintf
(bsc#1005637)
- CVE-2016-8617: OOB write via unchecked multiplication
(bsc#1005635)
- CVE-2016-8616: case insensitive password comparison
(bsc#1005634)
- CVE-2016-8615: cookie injection for other servers
(bsc#1005633)
- CVE-2016-7167: escape and unescape integer overflows
(bsc#998760)
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-29 | plugin id | 94506 | published | 2016-11-03 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94506 | title | SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2016:2699-1) |
NASL family | Fedora Local Security Checks | NASL id | FEDORA_2016-89769648A0.NASL | description | - fix cookie injection for other servers (CVE-2016-8615)
- compare user/passwd case-sensitively while reusing
connections (CVE-2016-8616)
- base64: check for integer overflow on large input
(CVE-2016-8617)
- fix double-free in krb5 code (CVE-2016-8619)
- fix double-free in curl_maprintf() (CVE-2016-8618)
- fix glob parser write/read out of bounds (CVE-2016-8620)
- fix out-of-bounds read in curl_getdate() (CVE-2016-8621)
- fix URL unescape heap overflow via integer truncation
(CVE-2016-8622)
- fix use-after-free via shared cookies (CVE-2016-8623)
- urlparse: accept '#' as end of host name (CVE-2016-8624)
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-10-01 | plugin id | 95009 | published | 2016-11-21 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=95009 | title | Fedora 25 : curl (2016-89769648a0) |
NASL family | Huawei Local Security Checks | NASL id | EULEROS_SA-2017-1036.NASL | description | According to the versions of the curl packages installed, the EulerOS
installation on the remote host is affected by the following
vulnerabilities :
- Multiple integer overflows in the (1) curl_escape, (2)
curl_easy_escape, (3) curl_unescape, and (4)
curl_easy_unescape functions in libcurl before 7.50.3
allow attackers to have unspecified impact via a string
of length 0xffffffff, which triggers a heap-based
buffer overflow.(CVE-2016-7167)
- ** RESERVED ** This candidate has been reserved by an
organization or individual that will use it when
announcing a new security problem. When the candidate
has been publicized, the details for this candidate
will be
provided.(CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE
-2016-8618,CVE-2016-8619,CVE-2016-8621,CVE-2016-8622,CV
E-2016-8623,CVE-2016-8624)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-14 | plugin id | 99881 | published | 2017-05-01 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=99881 | title | EulerOS 2.0 SP1 : curl (EulerOS-SA-2017-1036) |
|