Bug 578119 – CVE-2010-1100 Arora: Intended port restrictions bypass due integer overflow

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 578119 - (CVE-2010-1100) CVE-2010-1100 Arora: Intended port restrictions bypass due integer overflow

Summary:	CVE-2010-1100 Arora: Intended port restrictions bypass due integer overflow

Status:	CLOSED NOTABUG

Aliases:	CVE-2010-1100

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:	http://vimeo.com/10302434
Whiteboard:	impact=moderate,source=debian,reporte...
Keywords:	Security

Depends On:	578133
Blocks:
	Show dependency tree / graph

Reported:	2010-03-30 05:59 EDT by Jan Lieskovsky
Modified:	2016-03-04 06:57 EST (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2010-04-26 04:24:07 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Jan Lieskovsky 2010-03-30 05:59:18 EDT

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1100 to
the following vulnerability:

Integer overflow in Arora allows remote attackers to bypass
intended port restrictions on outbound TCP connections via
a port number outside the range of the unsigned short data
type, as demonstrated by a value of 65561 for TCP port 25.

References:
  [1] http://www.securityfocus.com/archive/1/archive/1/510283/100/0/threaded

Public PoC:
  [2] http://vimeo.com/10302434

Comment 2 Jaroslav Reznik 2010-03-30 08:55:04 EDT

This issue is NOT reproducible with QtWebKit as found in latest Fedora updates (Qt 4.6.2).

There's a check in QUrl code.

Arora output while trying to connect to http://localhost:65561/
QUrl::setPort: Out of range

Other WebKit implementations could be still vulnerable.

Comment 3 Tomas Hoger 2010-03-30 09:14:07 EDT

webkitgtk-1.1.15.4-1.fc12 with midori gives:

(midori:17258): libsoup-CRITICAL **: soup_address_new: assertion `SOUP_ADDRESS_PORT_IS_VALID (port)' failed
(midori:17258): libsoup-CRITICAL **: soup_socket_connect_async: assertion `priv->remote_addr != NULL' failed

where soup defines:
  #define SOUP_ADDRESS_PORT_IS_VALID(port) (port >= 0 && port <= 65535)

Comment 4 Jaroslav Reznik 2010-03-30 09:54:58 EDT

Konqueror (KHTML based) is not vulnerable to port overflow but does not check port 25 at all.

Comment 6 Tomas Hoger 2010-04-26 04:24:07 EDT

I'm closing this.  The summary of findings:

- arora using QTWebKit - Port number integer overflow is caught as mentioned in comment #2.  However, arora/QTWebKit does not use port blacklisting.

- webkitgtk - Port number integer overflow is caught by libsoup network backend (see comment #3).  Port 25 itself is blocked.

- konqueror/khtml - Port number integer overflow is caught, default of 80 is used when out-of-range number is specified.  As with arora/QTWebKit, there's no port blacklising in use at all.

Note You need to log in before you can comment on or make changes to this bug.