Bug 578119 (CVE-2010-1100)

Summary: CVE-2010-1100 Arora: Intended port restrictions bypass due integer overflow
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jreznik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://vimeo.com/10302434
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-26 08:24:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 578133    
Bug Blocks:    

Description Jan Lieskovsky 2010-03-30 09:59:18 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1100 to
the following vulnerability:

Integer overflow in Arora allows remote attackers to bypass
intended port restrictions on outbound TCP connections via
a port number outside the range of the unsigned short data
type, as demonstrated by a value of 65561 for TCP port 25.

References:
  [1] http://www.securityfocus.com/archive/1/archive/1/510283/100/0/threaded

Public PoC:
  [2] http://vimeo.com/10302434
Comment 2 Jaroslav Reznik 2010-03-30 12:55:04 UTC 
This issue is NOT reproducible with QtWebKit as found in latest Fedora updates (Qt 4.6.2).

There's a check in QUrl code.

Arora output while trying to connect to http://localhost:65561/
QUrl::setPort: Out of range

Other WebKit implementations could be still vulnerable.
Comment 3 Tomas Hoger 2010-03-30 13:14:07 UTC 
webkitgtk-1.1.15.4-1.fc12 with midori gives:

(midori:17258): libsoup-CRITICAL **: soup_address_new: assertion `SOUP_ADDRESS_PORT_IS_VALID (port)' failed
(midori:17258): libsoup-CRITICAL **: soup_socket_connect_async: assertion `priv->remote_addr != NULL' failed

where soup defines:
  #define SOUP_ADDRESS_PORT_IS_VALID(port) (port >= 0 && port <= 65535)
Comment 4 Jaroslav Reznik 2010-03-30 13:54:58 UTC 
Konqueror (KHTML based) is not vulnerable to port overflow but does not check port 25 at all.
Comment 6 Tomas Hoger 2010-04-26 08:24:07 UTC 
I'm closing this.  The summary of findings:

- arora using QTWebKit - Port number integer overflow is caught as mentioned in comment #2.  However, arora/QTWebKit does not use port blacklisting.

- webkitgtk - Port number integer overflow is caught by libsoup network backend (see comment #3).  Port 25 itself is blocked.

- konqueror/khtml - Port number integer overflow is caught, default of 80 is used when out-of-range number is specified.  As with arora/QTWebKit, there's no port blacklising in use at all.