CVE-2017-1000254: Buffer Overflow

Published Sep 26, 2017
·
Updated

curl. An out-of-bounds read issue existed in the FTP PWD response parsing. This issue was addressed with improved bounds checking.

Other sources

libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the PWD command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit 415d2e7cb7, March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.

MITRE

When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the PWD command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses.

Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path.

A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault.

Introduced with:

https://github.com/curl/curl/commit/415d2e7cb7

External References:

https://curl.haxx.se/docs/adv20171004.html

Red Hat

Credit

Max Dymond

Affected Software

121 affected componentsFixes available
redhat/curl<7.56.0
7.56.0
haxx libcurl=7.7
haxx libcurl=7.7.1
haxx libcurl=7.7.2
haxx libcurl=7.7.3
haxx libcurl=7.8
haxx libcurl=7.8.1
haxx libcurl=7.9
haxx libcurl=7.9.1
haxx libcurl=7.9.2
haxx libcurl=7.9.3
haxx libcurl=7.9.4
haxx libcurl=7.9.5
haxx libcurl=7.9.6
haxx libcurl=7.9.7
haxx libcurl=7.9.8
haxx libcurl=7.10
haxx libcurl=7.10.1
haxx libcurl=7.10.2
haxx libcurl=7.10.3
haxx libcurl=7.10.4
haxx libcurl=7.10.5
haxx libcurl=7.10.6
haxx libcurl=7.10.7
haxx libcurl=7.10.8
haxx libcurl=7.11.0
haxx libcurl=7.11.1
haxx libcurl=7.11.2
haxx libcurl=7.12.0
haxx libcurl=7.12.1
haxx libcurl=7.12.2
haxx libcurl=7.12.3
haxx libcurl=7.13.0
haxx libcurl=7.13.1
haxx libcurl=7.13.2
haxx libcurl=7.14.0
haxx libcurl=7.14.1
haxx libcurl=7.15.0
haxx libcurl=7.15.1
haxx libcurl=7.15.2
haxx libcurl=7.15.3
haxx libcurl=7.15.4
haxx libcurl=7.15.5
haxx libcurl=7.16.0
haxx libcurl=7.16.1
haxx libcurl=7.16.2
haxx libcurl=7.16.3
haxx libcurl=7.16.4
haxx libcurl=7.17.0
haxx libcurl=7.17.1
haxx libcurl=7.18.0
haxx libcurl=7.18.1
haxx libcurl=7.18.2
haxx libcurl=7.19.0
haxx libcurl=7.19.1
haxx libcurl=7.19.2
haxx libcurl=7.19.3
haxx libcurl=7.19.4
haxx libcurl=7.19.5
haxx libcurl=7.19.6
haxx libcurl=7.19.7
haxx libcurl=7.20.0
haxx libcurl=7.20.1
haxx libcurl=7.21.0
haxx libcurl=7.21.1
haxx libcurl=7.21.2
haxx libcurl=7.21.3
haxx libcurl=7.21.4
haxx libcurl=7.21.5
haxx libcurl=7.21.6
haxx libcurl=7.21.7
haxx libcurl=7.22.0
haxx libcurl=7.23.0
haxx libcurl=7.23.1
haxx libcurl=7.24.0
haxx libcurl=7.25.0
haxx libcurl=7.26.0
haxx libcurl=7.27.0
haxx libcurl=7.28.0
haxx libcurl=7.28.1
haxx libcurl=7.29.0
haxx libcurl=7.30.0
haxx libcurl=7.31.0
haxx libcurl=7.32.0
haxx libcurl=7.33.0
haxx libcurl=7.34.0
haxx libcurl=7.35.0
haxx libcurl=7.36.0
haxx libcurl=7.37.0
haxx libcurl=7.37.1
haxx libcurl=7.38.0
haxx libcurl=7.39
haxx libcurl=7.40.0
haxx libcurl=7.41.0
haxx libcurl=7.42.0
haxx libcurl=7.42.1
haxx libcurl=7.43.0
haxx libcurl=7.44.0
haxx libcurl=7.45.0
haxx libcurl=7.46.0
haxx libcurl=7.47.0
haxx libcurl=7.47.1
haxx libcurl=7.48.0
haxx libcurl=7.49.0
haxx libcurl=7.49.1
haxx libcurl=7.50.0
haxx libcurl=7.50.1
haxx libcurl=7.50.2
haxx libcurl=7.50.3
haxx libcurl=7.51.0
haxx libcurl=7.52.0
haxx libcurl=7.52.1
haxx libcurl=7.53.0
haxx libcurl=7.53.1
haxx libcurl=7.54.0
haxx libcurl=7.54.1
haxx libcurl=7.55.0
haxx libcurl=7.55.1
apple macOS High Sierra<10.13.2
10.13.2
Apple Sierra
apple El Capitan

Remediation

Patch Available

https://curl.haxx.se/673d0cd8.patch

Patch Available

https://curl.haxx.se/docs/adv_20171004.html

Event History

Oct 6, 2017
CVE Published
via MITRE·01:00 PM
Data Sourced
via MITRE·01:00 PM
Description

Parent advisories

This vulnerability appears in the following advisories.

Peer vulnerabilities

Found alongside the following vulnerabilities.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2017-1000254?

CVE-2017-1000254 has a medium severity rating due to the potential for an out-of-bounds read that may lead to information leakage.

2

How do I fix CVE-2017-1000254?

To fix CVE-2017-1000254, upgrade libcurl to version 7.56.0 or later.

3

Which versions of libcurl are affected by CVE-2017-1000254?

CVE-2017-1000254 affects libcurl versions 7.7 through 7.55.1 inclusive.

4

What type of vulnerability is CVE-2017-1000254?

CVE-2017-1000254 is categorized as an out-of-bounds read vulnerability found in the FTP PWD response parsing.

5

Is CVE-2017-1000254 exploitable remotely?

Yes, CVE-2017-1000254 is exploitable remotely when libcurl connects to a malicious FTP server.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203