CVE-2018-1000300

Vulnerability

A heap-based buffer overflow exists in curl versions 7.54.1 through 7.59.0 (inclusive) when handling long FTP server command replies during connection shutdown. The issue lies in the closure handle used internally for FTP connections, where cached server response data can exceed the default 16 KB buffer, leading to a heap overflow [2]. The overflow is triggered only when closing an FTP connection with very long server responses.

Exploitation

An attacker must operate a malicious FTP server that sends oversized command replies. A user or automated system must connect to that server via curl or an application using libcurl. When the FTP transfer completes and the connection is shut down, the cached response data may overflow the heap buffer [1][2]. No authentication or special privileges are required beyond the ability to lure the user into contacting the malicious server.

Impact

Successful exploitation can cause curl to crash (denial of service) or potentially allow arbitrary code execution, depending on the heap memory layout [1]. The overflow is controllable by the server, making code execution possible but not guaranteed. The impact is limited to the curl process; however, if libcurl is used in a server or automated tool, it could be leveraged for further compromise.

Mitigation

The vulnerability is fixed in curl version 7.60.0, released on May 16, 2018 [2]. Users should upgrade to 7.60.0 or later, or apply the patch available from the curl project [2]. For Ubuntu, fixed packages are available in USN-3648-1 [1]. Gentoo users should upgrade to >=net-misc/curl-7.60.0 [3]. As a workaround, avoid FTP transfers until the update is applied [2].