Bug 578119 (CVE-2010-1100) - CVE-2010-1100 Arora: Intended port restrictions bypass due integer overflow
Summary: CVE-2010-1100 Arora: Intended port restrictions bypass due integer overflow
Alias: CVE-2010-1100
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://vimeo.com/10302434
Depends On: 578133
TreeView+ depends on / blocked
Reported: 2010-03-30 09:59 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:35 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-04-26 08:24:07 UTC

Attachments (Terms of Use)

Description Jan Lieskovsky 2010-03-30 09:59:18 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1100 to
the following vulnerability:

Integer overflow in Arora allows remote attackers to bypass
intended port restrictions on outbound TCP connections via
a port number outside the range of the unsigned short data
type, as demonstrated by a value of 65561 for TCP port 25.

  [1] http://www.securityfocus.com/archive/1/archive/1/510283/100/0/threaded

Public PoC:
  [2] http://vimeo.com/10302434

Comment 2 Jaroslav Reznik 2010-03-30 12:55:04 UTC
This issue is NOT reproducible with QtWebKit as found in latest Fedora updates (Qt 4.6.2).

There's a check in QUrl code.

Arora output while trying to connect to http://localhost:65561/
QUrl::setPort: Out of range

Other WebKit implementations could be still vulnerable.

Comment 3 Tomas Hoger 2010-03-30 13:14:07 UTC
webkitgtk- with midori gives:

(midori:17258): libsoup-CRITICAL **: soup_address_new: assertion `SOUP_ADDRESS_PORT_IS_VALID (port)' failed
(midori:17258): libsoup-CRITICAL **: soup_socket_connect_async: assertion `priv->remote_addr != NULL' failed

where soup defines:
  #define SOUP_ADDRESS_PORT_IS_VALID(port) (port >= 0 && port <= 65535)

Comment 4 Jaroslav Reznik 2010-03-30 13:54:58 UTC
Konqueror (KHTML based) is not vulnerable to port overflow but does not check port 25 at all.

Comment 6 Tomas Hoger 2010-04-26 08:24:07 UTC
I'm closing this.  The summary of findings:

- arora using QTWebKit - Port number integer overflow is caught as mentioned in comment #2.  However, arora/QTWebKit does not use port blacklisting.

- webkitgtk - Port number integer overflow is caught by libsoup network backend (see comment #3).  Port 25 itself is blocked.

- konqueror/khtml - Port number integer overflow is caught, default of 80 is used when out-of-range number is specified.  As with arora/QTWebKit, there's no port blacklising in use at all.

Note You need to log in before you can comment on or make changes to this bug.