curl: CVE-2023-28319: UAF in SSH sha256 fingerprint check

Summary:

The fingerprint_b64 pointer is as parameter for failure logging after it is freed.

Steps To Reproduce:

1. git clone https://github.com/curl/curl
2. vim curl/lib/vssh/libssh2.c
3. search for the string ‘free(fingerprint_b64)’ and note that fingerprint_b64 is used as parameter immediately after it is freed.

Supporting Material/References:

The following are the details of the code.

git commit a51f90ec0f74176776f5d14b99689f9241660eaa (HEAD -> master, origin/master, origin/HEAD)

In curl/lib/vssh/libssh2.c
653 static CURLcode ssh_check_fingerprint(struct Curl_easy *data)
654 {
…
667 char *fingerprint_b64 = NULL;
…
729 if((pub_pos != b64_pos) ||
730 strncmp(fingerprint_b64, pubkey_sha256, pub_pos)) {
731 free(fingerprint_b64);
732
733 failf(data,
734 "Denied establishing ssh session: mismatch sha256 fingerprint. "
735 “Remote %s is not equal to %s”, fingerprint_b64, pubkey_sha256);

According to git blame, the following commits were involved:

d1e7d9197b lib/vssh/libssh2.c (Mats Lindestam 2021-09-26 23:20:53 +0200 731) free(fingerprint_b64);
d1e7d9197b lib/vssh/libssh2.c (Mats Lindestam 2021-09-26 23:20:53 +0200 732)
d1e7d9197b lib/vssh/libssh2.c (Mats Lindestam 2021-09-26 23:20:53 +0200 733) failf(data,
ff2f3e8367 lib/vssh/libssh2.c (Daniel Stenberg 2022-04-25 11:41:20 +0200 734) "Denied establishing ssh session: mismatch sha256 fingerprint. "
ff2f3e8367 lib/vssh/libssh2.c (Daniel Stenberg 2022-04-25 11:41:20 +0200 735) “Remote %s is not equal to %s”, fingerprint_b64, pubkey_sha256);

Impact

Depends on which memory is the pointer fingerprint_b64 pointing to at the time failf() is called, it may either crash the application or it may print out whatever was in memory at the time leading to information leak in the fail log.