curl: CVE-2022-32206: HTTP compression denial of service

Summary:

Curl does not prevent resource consumption when processing certain header types, but keeps on allocating more and more resources until the application terminates (or the system crashes, see below).

The attack vectors include (at least):

• Sending many Transfer-Encodingwith repeated encodings such as “gzip,gzip,gzip,…”
• if CURLOPT_ACCEPT_ENCODING is set sending many Content-Encoding with repeated encodings such as “gzip,gzip,gzip,…”
• Sending many Set-Cookie with unique cookie names and about 4kbyte value

Steps To Reproduce:

1.Run the following HTTP server:
perl -e 'print "HTTP/1.1 200 OK\r\n";for (my $i=0; $i < 10000000; $i++) { printf "Transfer-Encoding: " . "gzip," x 20000 . "\r\n"; }' | nc -v -l -p 9999
2. curl http://localhost:9999

The application will terminate when it runs out of memory.

On macOS the app dies due to OOM:

Killed: 9
$ echo $?
137

On linux it’s the same:

Killed
$ echo $?
137

When targeting Windows 11 system the system would stop responding. Once the attack script was terminated the system would not recover after 10 minutes of waiting. While it was possible to log on to the system the display would remain black. Rebooting the system was necessary to recover the system to a working state. This of course is likely due to bugs in the Windows operating system or drivers.

On other platforms nasty effects may also occur, such as causing extreme swapping or a system crash. Depending on how the system handles the application gobbling all memory it may result in collateral damage, for example when kernel attempts to release system resources by killing processes.

Impact

• Uncontrolled resource consumption
• Uncontrolled application termination
• System crash (on some platforms)