Remote exploitation of a buffer overflow vulnerability in multiple vendor's implementations of curl and wget allows attackers to execute arbitrary code. The vulnerability specifically exists due to insufficent bounds checking on user-supplied data supplied to a memory copy operation. The memcpy() of the supplied ntlm username to ntlmbuf shown below results in a stack overflow: http-ntlm.c in ntlm_output() on line 532: /* size is now 64 */ size=64; ntlmbuf[62]=ntlmbuf[63]=0; memcpy(&ntlmbuf[size], domain, domlen); size += domlen; memcpy(&ntlmbuf[size], usr, userlen); size += userlen; The resulting stack overflow can be leveraged to gain arbitrary code execution with user privileges. http://www.mail-archive.com/wget%40sunsite.dk/msg08294.html
*** This bug has been marked as a duplicate of 109097 ***