Curl Library's Vulnerability: An Overview

The curl library, libcurl, faces a heap-based buffer overflow during a SOCKS5 proxy handshake due to a flaw.

Technical Breakdown

When curl delegates hostname resolution to the SOCKS5 proxy, the hostname should not exceed 255 bytes.
In scenarios where the hostname surpasses this limit, curl is expected to resolve it locally. However, a bug could incorrectly copy an overextended hostname into the buffer instead of only copying the resolved address during slow SOCKS5 handshakes.
The buffer in question is libcurl's heap-based download buffer. By default, its size is 16kB, but applications can adjust this. The command-line tool version, the curl tool, sets it at 102400 bytes by default.
Users can employ libcurl's CURLOPT_BUFFERSIZE to modify the buffer's size.
Overflow occurs when a hostname, longer than the buffer, is used. This requires a specific set of conditions, including a sufficiently slow SOCKS5 handshake and a long hostname.

Use of the options CURLOPT_PROXYTYPE set to CURLPROXY_SOCKS5_HOSTNAME.
Using CURLOPT_PROXY or CURLOPT_PRE_PROXY with the socks5h:// scheme.
Setting environment variables like http_proxy, HTTPS_PROXY, or ALL_PROXY to the socks5h:// scheme.

The issue stems from when the SOCKS5 handshake's coding was shifted from a blocking function to a non-blocking state machine.
This analysis predominantly targets curl version 8. Some older versions from the 7 series possess fewer restrictions on hostname length and buffer size.

From version 8.4.0 onward, curl returns an error for excessively long names instead of switching to local resolve mode.
Fixed version: GitHub Commit
Patches for older versions are available.

About this post

Posted: 2023-10-13
By: dwirch
Viewed: 199 times

No comments have been added for this post.

You must be logged in to make a comment.