curl: CVE-2022-27778: curl removes wrong file on error

2022-04-2812:58:26

nyymi

hackerone.com

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:P/A:P

0.001 Low

EPSS

Percentile

23.0%

JSON

Summary:

Curl command has a logic flaw that results in removal of a wrong file when combining --no-clobber and --remove-on-error if the target file name exists and an error occurs.

Steps To Reproduce:

echo "important file" > foo
echo -ne "HTTP/1.1 200 OK\r\nContent-Length: 666\r\n\r\nHello\n" | nc -l -p 9999
curl -m 3 --no-clobber --remove-on-error --output foo http://testserver.tld:9999/
ls -l foo*
cat foo.1

-m 3 is used here to simulate a denial of service of the connection performed by the attacker.

The bug appears to happen because the remote-on-error unlink is called without considering the no-clobber generated file name:

no-clobber name generation; https://github.com/curl/curl/blob/3fd1d8df3a2497078d580f43c17311e6f58186a1/src/tool_cb_wrt.c#L88
remove-on-error unlink: https://github.com/curl/curl/blob/f7f26077bc563375becdb2adbcd49eb9f28590f9/src/tool_operate.c#L598

Impact

Removal of a file that was supposed not to be overwritten (data loss). Incomplete file left of disk when it should have been removed. This can lead to potential loss of integrity or availability.

For this attack to work the attacker of course would need to know a scenario where the victim is performing curl operation with --no-clobber --remove-on-error options.