Vigil@nce - curl: information disclosure via SMB
July 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A attacker who controls a SMB server can read a memory fragment of
the client process using curl, in order to obtain sensitive
information.
– Impacted products: cURL, Fedora, openSUSE
– Severity: 1/4
– Creation date: 17/06/2015
DESCRIPTION OF THE VULNERABILITY
The curl product includes an SMB/CIFS client library.
There is a SMB command for wich the server requests the client to
send a server specified section of a data area (typically a file).
However, the function smb_request_state() from the file
"lib/smb.c" does not check whether the requested interval is valid
before sending back the content of the corresponding memory area.
A attacker who controls a SMB server can therefore read a memory
fragment of the client process using curl, in order to obtain
sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/curl-information-disclosure-via-SMB-17154