// For flags

CVE-2024-6197

freeing stack buffer in utf8asn1str

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.

El analizador ASN1 de libcurl tiene esta función utf8asn1str() utilizada para analizar una cadena ASN.1 UTF-8. Puede detectar un campo no válido y devolver un error. Desafortunadamente, al hacerlo también invoca `free()` en un búfer localstack de 4 bytes. La mayoría de las implementaciones modernas de malloc detectan este error y lo abortan inmediatamente. Sin embargo, algunos aceptan el puntero de entrada y agregan esa memoria a su lista de fragmentos disponibles. Esto lleva a la sobrescritura de la memoria de stack. El contenido de la sobrescritura lo decide la implementación `free()`; Es probable que sean punteros de memoria y un conjunto de banderas. El resultado más probable de explotar este defecto es un colapso, aunque no se puede descartar que se puedan obtener resultados más graves en circunstancias especiales.

*Credits: z2_, z2_
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-06-20 CVE Reserved
  • 2024-07-24 CVE Published
  • 2024-08-01 CVE Updated
  • 2024-08-27 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.8.0
Search vendor "Curl" for product "Curl" and version "8.8.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.7.1
Search vendor "Curl" for product "Curl" and version "8.7.1"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.7.0
Search vendor "Curl" for product "Curl" and version "8.7.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.6.0
Search vendor "Curl" for product "Curl" and version "8.6.0"
en
Affected