Carding 4 Carders
Professional
- Messages
- 2,724
- Reaction score
- 1,579
- Points
- 113
A vulnerability CVE-2023-38545) has been identified in the curl utility for receiving and sending data over the curl network and the libcurl library that is being developed in parallel, which can lead to buffer overflow and potentially to the execution of attacker code on the client side when accessing an HTTPS server controlled by an attacker using the curl utility or an application using libcurl. The problem only appears if curl is enabled to access via the SOCKS5 proxy. Direct access without a proxy does not expose the vulnerability. The vulnerability was fixed in the curl 8.4.0 release. The security researcher who identified the bug received a reward of $4,660 as part of the Internet Bug Bounty initiative on Hackerone.
The vulnerability is caused by an error in the hostname resolving code before accessing the SOCKS5 proxy. If the hostname is up to 256 characters long, curl immediately passes the name to the SOCKS5 proxy for resolving on its side, and if the name is longer than 255 characters, it switches to the local resolver and passes the already defined address to SOCKS5. Due to an error in the code, the flag indicating the need for local resolution may have been set to the wrong value during slow negotiation of the connection via SOCKS5, which led to writing a long host name to the buffer allocated with the expectation of storing an IP address or name that does not exceed 255 characters.
The site owner who is accessed by curl via a SOCKS5 proxy can trigger a buffer overflow on the client side by returning the request redirect code (HTTP 30x) in response and setting the URL with the host name in the "Location:" header, which is in the range from 16 to 64 KB (the value of 16 KB is determined by the minimum size required to overflow the allocated buffer, and the value of 65 KB is associated with the maximum allowed length of the hostname in the URL). If request redirection is enabled in the libcurl settings and the SOCKS5 proxy used is slow enough, then the long host name will be written to a small buffer that is obviously smaller.
The vulnerability mainly affects libcurl-based applications and manifests itself in the curl utility only when using the "--limit-rate " option with a value less than 65541. By default, libcurl allocates a buffer of 16 KB in size, and in the curl utility - 100 KB, but this size changes depending on the value of the "--limit " parameter.-rate".
Daniel Stenberg, the project's author, mentioned that the vulnerability went undetected for 1,315 days. It is also said that 41% of the previously identified vulnerabilities in curl would probably have been avoided if curl had been written in a language that ensures safe operation with memory, but there are no plans to rewrite curl into another language in the foreseeable future. As measures to improve the security of the code base, it is proposed to expand the tools for testing code and more actively use dependencies written in programming languages that ensure safe operation with memory. The possibility of gradually replacing parts of curl with variants written in secure languages, such as the experimental Hyper HTTP backend implemented in Rust, is also being considered.
The vulnerability is caused by an error in the hostname resolving code before accessing the SOCKS5 proxy. If the hostname is up to 256 characters long, curl immediately passes the name to the SOCKS5 proxy for resolving on its side, and if the name is longer than 255 characters, it switches to the local resolver and passes the already defined address to SOCKS5. Due to an error in the code, the flag indicating the need for local resolution may have been set to the wrong value during slow negotiation of the connection via SOCKS5, which led to writing a long host name to the buffer allocated with the expectation of storing an IP address or name that does not exceed 255 characters.
The site owner who is accessed by curl via a SOCKS5 proxy can trigger a buffer overflow on the client side by returning the request redirect code (HTTP 30x) in response and setting the URL with the host name in the "Location:" header, which is in the range from 16 to 64 KB (the value of 16 KB is determined by the minimum size required to overflow the allocated buffer, and the value of 65 KB is associated with the maximum allowed length of the hostname in the URL). If request redirection is enabled in the libcurl settings and the SOCKS5 proxy used is slow enough, then the long host name will be written to a small buffer that is obviously smaller.
The vulnerability mainly affects libcurl-based applications and manifests itself in the curl utility only when using the "--limit-rate " option with a value less than 65541. By default, libcurl allocates a buffer of 16 KB in size, and in the curl utility - 100 KB, but this size changes depending on the value of the "--limit " parameter.-rate".
Daniel Stenberg, the project's author, mentioned that the vulnerability went undetected for 1,315 days. It is also said that 41% of the previously identified vulnerabilities in curl would probably have been avoided if curl had been written in a language that ensures safe operation with memory, but there are no plans to rewrite curl into another language in the foreseeable future. As measures to improve the security of the code base, it is proposed to expand the tools for testing code and more actively use dependencies written in programming languages that ensure safe operation with memory. The possibility of gradually replacing parts of curl with variants written in secure languages, such as the experimental Hyper HTTP backend implemented in Rust, is also being considered.
