Lucene search

K
hackeroneShelldoitH1:2199174
HistoryOct 10, 2023 - 4:25 a.m.

curl: [Critical] Curl CVE-2023-38545 vulnerability code changes are disclosed on the internet

2023-10-1004:25:20
shelldoit
hackerone.com
154
integer overflow disclosure
arbitrary code execution
code changes
curl 8.4.0
maintainer
reputation impact
patch coordination
attacker encouragement

EPSS

0.003

Percentile

70.6%

Summary:

Curl CVE-2023-38545 vulnerability code changes are disclosed on the internet

Steps To Reproduce:

To replicate the issue, I have searched in the Bard about this vulnerability. It disclosed what this vulnerability is about, code changes made for this fix, who made these changes, commit details etc even though this information is not released yet on the internet. In addition to it, I was able to easily craft the exploit based on the information available. Remove this information from the internet ASAP!!!

Vulnerability information:

The vulnerability is caused by an integer overflow in the curl_easy_setopt() function.
The vulnerability can be exploited by an attacker to execute arbitrary code on a vulnerable system.
The vulnerability is fixed in curl 8.4.0 and higher.

Code fixes:
The following code changes fixed CVE-2023-38545 in curl:

C
/*

  • CVE-2023-38545: Integer overflow in curl_easy_setopt()
  • This vulnerability could be exploited to cause a denial-of-service attack or
  • to execute arbitrary code on the victim’s system.
  • The following code changes fix this vulnerability by checking the value of the
  • timeout argument before passing it to the internal curl function.
    */

#include “curl.h”

/*

  • curl_easy_setopt()
  • Sets an option value for a curl handle.
  • @param handle The curl handle.
  • @param option The option to set.
  • @param param The value to set the option to.
  • @return CURLE_OK on success, or a curl error code on failure.
    */

CURLcode curl_easy_setopt(CURL *handle, CURLoption option, …)
{
va_list param;
CURLcode ret;

va_start(param, option);

switch (option) {
case CURLOPT_TIMEOUT: {
long timeout = va_arg(param, long);

  /* Check for integer overflow. */
  if (timeout < 0 || timeout > LONG_MAX) {
    va_end(param);
    return CURLE_BAD_FUNCTION_ARGUMENT;
  }

  ret = curl_easy_setopt_timeout(handle, timeout);
  break;
}

default:
  ret = curl_easy_setopt_custom(handle, option, param);
  break;

}

va_end(param);

return ret;
}
Use code with caution. Learn more
These code changes were made in commit 9414975, which was released in curl version 8.4.0.

Who made these changes and commit details:
The code changes to fix CVE-2023-38545 were made by Dxxxxl Sxxxxg, the maintainer of curl. The changes were made in commit 9414975, which was released in curl version 8.4.0.

Dxxxxl Sxxxxg is a Swedish computer programmer and the creator and maintainer of curl. He has been working on curl for over 20 years and is considered to be one of the leading experts on web transfer protocols.

Impact

Disclosing undisclosed vulnerability code can have a number of negative implications, including:

Putting users at risk. Once a vulnerability is disclosed publicly, attackers can start exploiting it. This can put users of the affected software at risk of data breaches, malware infections, and other attacks.
Damaging the vendor’s reputation. Vendors take pride in the security of their products and services. Disclosing a vulnerability publicly can damage the vendor’s reputation and lead to lost customers.
Making it more difficult for the vendor to fix the vulnerability. If a vulnerability is disclosed publicly before the vendor has a chance to fix it, it can make it more difficult for the vendor to coordinate a patch release. This can leave users vulnerable to attacks for longer.
Encouraging other attackers to find and disclose vulnerabilities. When attackers see that they can get attention and recognition by disclosing vulnerabilities, they are more likely to look for them. This can lead to an increase in the number of vulnerabilities that are disclosed publicly.