Curl Library's Vulnerability: An Overview
No attachments for this post
The curl library, libcurl, faces a heap-based buffer overflow during a SOCKS5 proxy handshake due to a flaw.
- When curl delegates hostname resolution to the SOCKS5 proxy, the hostname should not exceed 255 bytes.
- In scenarios where the hostname surpasses this limit, curl is expected to resolve it locally. However, a bug could incorrectly copy an overextended hostname into the buffer instead of only copying the resolved address during slow SOCKS5 handshakes.
- The buffer in question is libcurl's heap-based download buffer. By default, its size is 16kB, but applications can adjust this. The command-line tool version, the curl tool, sets it at 102400 bytes by default.
- Users can employ libcurl's CURLOPT_BUFFERSIZE to modify the buffer's size.
- Overflow occurs when a hostname, longer than the buffer, is used. This requires a specific set of conditions, including a sufficiently slow SOCKS5 handshake and a long hostname.
- Use of the options CURLOPT_PROXYTYPE set to CURLPROXY_SOCKS5_HOSTNAME.
- Using CURLOPT_PROXY or CURLOPT_PRE_PROXY with the socks5h:// scheme.
- Setting environment variables like http_proxy, HTTPS_PROXY, or ALL_PROXY to the socks5h:// scheme.
- The issue stems from when the SOCKS5 handshake's coding was shifted from a blocking function to a non-blocking state machine.
- This analysis predominantly targets curl version 8. Some older versions from the 7 series possess fewer restrictions on hostname length and buffer size.
- CWE-122: Heap-based Buffer Overflow
- Severity: High
- Versions affected: libcurl 7.69.0 up to 8.3.0.
- Safe versions: libcurl < 7.69.0 and >= 8.4.0
- Vulnerability introduction: GitHub Commit
- Note: Several applications use libcurl, often without explicit mention.
- From version 8.4.0 onward, curl returns an error for excessively long names instead of switching to local resolve mode.
- Fixed version: GitHub Commit
- Patches for older versions are available.
- Upgrade to curl version 8.4.0
- Implement the patch on your local version
- Avoid using CURLPROXY_SOCKS5_HOSTNAME proxies with curl
- Do not configure a proxy environment variable to socks5h://.
Comments on this post
No comments have been added for this post.
You must be logged in to make a comment.