CVE-2024-6197

libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.
Configurations

Configuration 1 (hide)

cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*

History

29 Nov 2024, 12:15

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20241129-0008/ -

21 Nov 2024, 09:49

Type Values Removed Values Added
References () http://www.openwall.com/lists/oss-security/2024/07/24/1 - Mailing List, Third Party Advisory () http://www.openwall.com/lists/oss-security/2024/07/24/1 - Mailing List, Third Party Advisory
References () http://www.openwall.com/lists/oss-security/2024/07/24/5 - Mailing List, Third Party Advisory () http://www.openwall.com/lists/oss-security/2024/07/24/5 - Mailing List, Third Party Advisory
References () https://curl.se/docs/CVE-2024-6197.html - Vendor Advisory () https://curl.se/docs/CVE-2024-6197.html - Vendor Advisory
References () https://curl.se/docs/CVE-2024-6197.json - Vendor Advisory () https://curl.se/docs/CVE-2024-6197.json - Vendor Advisory
References () https://hackerone.com/reports/2559516 - Exploit, Issue Tracking, Technical Description () https://hackerone.com/reports/2559516 - Exploit, Issue Tracking, Technical Description

26 Aug 2024, 15:25

Type Values Removed Values Added
References () http://www.openwall.com/lists/oss-security/2024/07/24/1 - () http://www.openwall.com/lists/oss-security/2024/07/24/1 - Mailing List, Third Party Advisory
References () http://www.openwall.com/lists/oss-security/2024/07/24/5 - () http://www.openwall.com/lists/oss-security/2024/07/24/5 - Mailing List, Third Party Advisory
References () https://curl.se/docs/CVE-2024-6197.html - () https://curl.se/docs/CVE-2024-6197.html - Vendor Advisory
References () https://curl.se/docs/CVE-2024-6197.json - () https://curl.se/docs/CVE-2024-6197.json - Vendor Advisory
References () https://hackerone.com/reports/2559516 - () https://hackerone.com/reports/2559516 - Exploit, Issue Tracking, Technical Description
First Time Haxx
Haxx libcurl
CWE NVD-CWE-Other
CPE cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*

01 Aug 2024, 14:00

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5

24 Jul 2024, 21:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/07/24/5 -

24 Jul 2024, 09:15

Type Values Removed Values Added
Summary
  • (es) El analizador ASN1 de libcurl tiene esta función utf8asn1str() utilizada para analizar una cadena ASN.1 UTF-8. Puede detectar un campo no válido y devolver un error. Desafortunadamente, al hacerlo también invoca `free()` en un búfer localstack de 4 bytes. La mayoría de las implementaciones modernas de malloc detectan este error y lo abortan inmediatamente. Sin embargo, algunos aceptan el puntero de entrada y agregan esa memoria a su lista de fragmentos disponibles. Esto lleva a la sobrescritura de la memoria de stack. El contenido de la sobrescritura lo decide la implementación `free()`; Es probable que sean punteros de memoria y un conjunto de banderas. El resultado más probable de explotar este defecto es un colapso, aunque no se puede descartar que se puedan obtener resultados más graves en circunstancias especiales.
References
  • () http://www.openwall.com/lists/oss-security/2024/07/24/1 -

24 Jul 2024, 08:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-24 08:15

Updated : 2024-11-29 12:15


NVD link : CVE-2024-6197

Mitre link : CVE-2024-6197

CVE.ORG link : CVE-2024-6197


JSON object : View

Products Affected

haxx

  • libcurl