Vigil@nce: Cyrus SASL, buffer overflow of sasl_encode64
May 2009 by Vigil@nce
An attacker can generate an overflow in applications linked to
Cyrus SASL and using the sasl_encode64() function.
Severity: 2/4
Consequences: user access/rights, denial of service of service
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 15/05/2009
IMPACTED PRODUCTS
– Mandriva Corporate
– Mandriva Linux
– Mandriva Multi Network Firewall
– OpenSolaris
– Slackware Linux
– Sun Solaris
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The Cyrus SASL library (Simple Authentication and Security Layer)
adds new authentication methods to existing protocols.
The sasl_encode64() function encodes a string to base64. However,
this function does not check if the output buffer is sufficiently
large to contain the ’\0’ string terminator. An overflow of one
byte can thus occur.
An attacker can therefore generate an overflow in applications
linked to Cyrus SASL and using the sasl_encode64() function. This
overflow generates a denial of service or eventually code
execution.
CHARACTERISTICS
Identifiers: 259148, 6836899, BID-34961, CVE-2009-0688,
MDVSA-2009:113, SSA:2009-134-01, VIGILANCE-VUL-8715, VU#238019
http://vigilance.fr/vulnerability/Cyrus-SASL-buffer-overflow-of-sasl-encode64-8715