CVE-2018-1000120

Name of the Vulnerable Software and Affected Versions curl versions 7.12.3 through 7.58.0

Description A buffer overflow exists in the FTP URL handling of curl, allowing an attacker to cause a denial of service or worse. The vulnerability is triggered when curl is told to work on an FTP URL with the setting to only issue a single CWD command. The --ftp-method singlecwd or the libcurl alternative CURLOPT FTP FILEMETHOD can be used to exploit this issue. If the directory part of the URL contains a %00 sequence, the directory length might end up shorter than the file name path, making the calculation size t index = directory len - filepart len end up with a huge index variable for where the zero byte gets stored. This can lead to overwriting memory before the intended heap buffer.

Recommendations For curl versions 7.12.3 through 7.58.0, consider disabling the --ftp-method singlecwd option or the libcurl alternative CURLOPT FTP FILEMETHOD to minimize the risk of exploitation. Avoid using FTP URLs with the %00 sequence in the directory part until the issue is resolved. As a temporary workaround, restrict access to the FTP URL handling functionality to prevent potential attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.