-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[VSA0401 - neon - void.at security notice]
Overview
========
We have discovered a format string vulnerability in neon
(http://www.webdav.org/neon). neon is a webdav client
library, used by Subversion and others.
CVE has assigned the name CAN-2004-0179 to this issue.
Affected Versions
=================
This affects neon versions 0.19.0 onwards when ne_set_error
was changed from taking a single char* to taking printf-style
varargs.
Impact
======
Middle. Man-in-the-middle-attack or fake server needed. Note
that all clients using this library (such as Subversion) are
affected.
Workaround:
===========
neon 0.24.5 fixes the described problem. You can get it from
http://www.webdav.org/neon/neon-0.24.5.tar.gz.
Details
=======
grep for ne_set_error and see for yourself.
One particular bug is that if the response of the webserver
doesn't start with "HTTP", it is considered invalid and will
be logged via ne_set_error. You can supply %08x%08x etc there
and it will be executed by a libc format function.
webdav-requests always start with PROPFIND:
Request
- -------
PROPFIND /lenya/blog/authoring/entries/2003/08/24/peanuts/ HTTP/1.1
Pragma: no-cache
Cache-control: no-cache
Accept: text/*, image/jpeg, image/png, image/*, */*
Accept-Encoding: x-gzip, gzip, identity
Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5
Accept-Language: en
Host: 127.0.0.1
Depth: 0
Response
- --------
HTTP/1.1 207 Multi-Status
X-Cocoon-Version: 2.1
Set-Cookie: JSESSIONID=320E3B1395B867B5BC42B5FC93457C36; Path=/lenya
Content-Type: text/xml
Transfer-Encoding: chunked
Date: Mon, 25 Aug 2003 14:27:12 GMT
Server: Apache Coyote/1.0
/lenya/blog/authoring/entries/2003/08/24/peanuts/
httpd/unix-directory
HTTP/1.1 200 OK
The formatstring bug can be triggered with a response like:
...
%08x%08x
...
Timeline
========
2004-03-10: Bug discovered
2004-03-15: Contacted jorton@redhat.com (maintainer)
2004-03-16: Maintainer confirmation
2004-04-14: Maintainer released fixed version 0.24.5
2004-04-16: Public disclosure
Discovered by
=============
Thomas Wana
Credits
=======
void.at
Joe Orton (neon maintainer)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAgCWNLd3EzkyJNR8RAg0vAJ9y1Go4v5beg1haBez2UNB+59WuMACbBqoE
OVS/aw8YTpuu97qqpLuahnk=
=TFIo
-----END PGP SIGNATURE-----